bundletool icon indicating copy to clipboard operation
bundletool copied to clipboard
verified publisher icon google

The latest version of the `BundleTool` library (1.18.0) is still vulnerable to the `CVE-2024-7254` security vulnerability

Open embarcadero-dev opened this issue 11 months ago • 1 comments

The latest version of the BundleTool library (1.18.0) is still vulnerable to the CVE-2024-7254 security vulnerability. This vulnerability comes from the protobuf-java dependency and has affected the BundleTool library for several years.

Many organizations enforce strict policies against using binaries with known security vulnerabilities. Please consider updating the protobuf-java dependency used by the BundleTool library from version 3.22.3 to at least 3.25.5 to address this issue.

embarcadero-dev avatar Jan 27 '25 18:01 embarcadero-dev

I have also created an IssueTracker ticket for this issue.

embarcadero-dev avatar Jan 27 '25 18:01 embarcadero-dev