CVE-2022-24968

Name of the Vulnerable Software and Affected Versions Mellium mellium.im/xmpp versions 0.21.0 and earlier

Description An attacker capable of spoofing DNS TXT records can redirect a WebSocket connection request to a server under their control without causing TLS certificate verification to fail. This occurs because the wrong host name is selected during this verification. The issue allows for man-in-the-middle attacks via DNS spoofing, where the server TLS certificate is incorrectly validated using the name of the server returned by the TXT record request, not the name of the server being connected to.

Recommendations For Mellium mellium.im/xmpp versions 0.21.0 and earlier, providing a tls.Config with a ServerName field set to the correct destination hostname will avoid this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.