| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ (pre-release) |
If you discover a security vulnerability in TagLibSharp2, please report it responsibly:
- Do NOT open a public GitHub issue for security vulnerabilities
- Use GitHub's private vulnerability reporting: https://github.com/decriptor/TagLibSharp2/security/advisories/new
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide a detailed response within 7 days.
TagLibSharp2 parses untrusted binary data from media files. While we implement defensive parsing:
- Malformed files: The library uses result types rather than exceptions to handle malformed data gracefully
- Large files: Consider memory limits when loading entire files; the library does not currently enforce size limits
- Embedded content: Album art and other embedded data are passed through without sanitization. Applications should validate image data before rendering
- All parsing uses
Span<T>and bounds checking ArrayPool<byte>is used for temporary allocationsBinaryDatais immutable after construction
TagLibSharp2 has no external runtime dependencies, reducing supply chain risk.
Security fixes will be released as patch versions (e.g., 1.0.1) and announced via:
- GitHub Security Advisories
- Release notes