CVE-2025-27820: Apache HttpClient disables domain checks

The vulnerability description states that a bug in PSL validation logic disables domain checks. I analyzed the provided pull requests and their commits. PR #621 (commits e88b388d, cb2aec6a, f105c129) directly addresses a bug in how the Public Suffix List is loaded by PublicSuffixMatcherLoader.getDefault(). Specifically, commit cb2aec6ab11603c7d08b71761932011d45a96f92 fixes the path to the effective_tld_names.dat file by adding a leading slash, changing it from "org/publicsuffix/list/effective_tld_names.dat" to "/org/publicsuffix/list/effective_tld_names.dat". The commit message for this fix explains that Class#getResource requires an absolute path (leading slash) when the resource is at the root of the classpath or not relative to the class's package. Before this fix, if Class.getResource() failed to find the file due to the incorrect path, the getDefault() method would likely initialize DEFAULT_INSTANCE with a PublicSuffixMatcher that lacked the necessary suffix rules (as confirmed by the PR #621 description: "a non-null nearly empty default PublicSuffixMatcher is still provided in the case of the url not existing"). This would lead to the described 'disabled domain checks'. Therefore, the org.apache.hc.client5.http.psl.PublicSuffixMatcherLoader.getDefault() method, in its state prior to this fix, is the vulnerable function.