CVE-2024-43201

HIGH

Planet Fitness Workouts - Info Disclosure

Title source: llm

Description

The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11).

References (2)

Core 2

Core References

Product

https://apps.apple.com/us/app/planet-fitness-workouts/id399857015

Exploit, Third Party Advisory

https://dontvacuum.me/bugs/pf/

Scores

CVSS v3 8.8

EPSS 0.0040

EPSS Percentile 31.3%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-295

Status published

Products (1)

planetfitness/planet_fitness_workouts < 9.8.12

Published Sep 23, 2024

Tracked Since Feb 18, 2026