Missing hostname validation allows an attacker to perform a person in the middle attack against users of the em-http-request library.
An attacker can assume the identity of a trusted server and introduce malicious data in an otherwise trusted place.
This report was subject to the GHSL coordinated disclosure policy.
This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).
You can contact the GHSL team at
firstname.lastname@example.org, please include the GHSL-ID:
GHSL-2020-094 in any communication regarding this issue.