CVE-2021-0341: Square OkHttp can accept the wrong certificate

May 24, 2022 (updated November 13, 2025)

In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11 Android ID: A-171980069

References

github.com/advisories/GHSA-3cqm-mf7h-prrj
github.com/square/okhttp
github.com/square/okhttp/commit/f574ea2f5259d9040f264ddeb582fb1ce563f10c
github.com/square/okhttp/issues/6724
github.com/square/okhttp/pull/6741
nvd.nist.gov/vuln/detail/CVE-2021-0341
source.android.com/security/bulletin/2021-02-01

Code Behaviors & Features

Detect and mitigate CVE-2021-0341 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →