A while ago a number of security issues were reported.
Most of them were nullified by the recent switch to libmpg123, but this is still extant:
https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-filteryule-gain_analysis-c/
( CVE-2017-14407)
Can something be done about it?
Fixed in the latest commit to master, thanks to a patch from Thomas Orgis, the libmpg123 maintainer. I haven't made an official 1.6.2 release yet because there's one more CVE I'm trying to address:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12911
Sadly, that one doesn't have a convenient sample that crashes the current code, so I have to figure out exactly what's causing the problem first.
Released (as source, not bundled into any Windows releases).
Fixed, released, updated website