CVE-2024-43201
Last modified
CVE-2024-43201 is a high-severity vulnerability rated 8.7/10 on the CVSS scale. The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11).. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11).
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:U/V:D/RE:L/U:Amber
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Planetfitness | Planet Fitness Workouts | < 9.8.12 |
References
- https://dontvacuum.me/bugs/pf/Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-43201?
How severe is CVE-2024-43201?
How do I fix CVE-2024-43201?
Are you affected by CVE-2024-43201?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST