CVE-2024-43201

Planet Fitness Workouts mobile apps do not properly validate TLS certificates

CVSS 8.7 HIGHEPSS 0.4%CWE-295

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.7EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

23 Sep 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11).

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber

Affected products

Planet Fitness · Planet Fitness Workouts

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://apps.apple.com/us/app/planet-fitness-workouts/id399857015 https://dontvacuum.me/bugs/pf/