Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.
An attacker can assume the identity of a trusted server and introduce malicious data in an otherwise trusted place.
Implement hostname validation.
This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-095 in any communication regarding this issue.