Missing hostname validation allows an attacker to perform a person in the middle attack against users of the em-http-request library.
GHSL-2020-094: Missing SSL/TLS certificate hostname validation
An attacker can assume the identity of a trusted server and introduce malicious data in an otherwise trusted place.
Coordinated Disclosure Timeline
This report was subject to the GHSL coordinated disclosure policy.
- 18/05/2020: Report sent to Vendor
- 23/05/2020: Vendor acknowledged report
- 24/05/2020: Report published to public
- 30/05/2020: Vendor fixed the issue.
This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).
You can contact the GHSL team at
firstname.lastname@example.org, please include the GHSL-ID:
GHSL-2020-094 in any communication regarding this issue.