The mitigation is to disable local network access while the VPN is connected. Many clients do this, at least on some platforms. It was interesting to see that on iOS every tested app was vulnerable to this data leaking attack, and nearly every one of them on the macOS. It appears that the iOS API for working with VPNs has only recently introduced a control for how to handle local network traffic, leading to the abysmal results.

Not surprised mac OS sucks at this but is Linux vulnerable as well?