[1] is the upstream issue for this CVE. As far as I can tell, the maintainer believes that the exploitability of this issue is quite low because it requires being able to modify responses made over TLS. But they are still working on a solution AFAICS. [1]: https://github.com/ncw/rclone/issues/2376