The correct fix is to never trust the header for which algorithm you're using.
https://infosec.exchange/@sophieschmieg/115132001021790785