Summary
mp3gain has accumulated 19 known CVEs over the past two decades. While the v1.6.2 source release mitigated many mpglibDBL vulnerabilities by migrating to system libmpg123, the stable Windows binary (v1.2.5) on the Downloads page and the APE tag handling code (apetag.c) remain vulnerable.
This report is intended as a consolidated reference for users and distribution maintainers.
Windows stable binary (v1.2.5):
Source v1.6.2 (with system libmpg123):
| CVE | CVSS | Type |
|---|---|---|
| CVE-2023-49356 | 7.5 (High) | Stack buffer overflow in WriteMP3GainAPETag |
| CVE-2019-18359 | 5.5 (Medium) | Buffer over-read in ReadMP3APETag |
| CVE-2018-10777 | — | Buffer overflow in WriteMP3GainAPETag |
| CVE-2017-12911 | — | Stack memory corruption |
Patches exist — Debian's fix-security-bugs.patch addresses these. See: https://sources.debian.org/patches/mp3gain/1.6.2-3/
CVE-2003-0577, CVE-2004-0805, CVE-2004-0991, CVE-2006-1655, CVE-2017-9872, CVE-2017-12912, CVE-2017-14406, CVE-2017-14407, CVE-2017-14408, CVE-2017-14409 (CVSS 7.8), CVE-2017-14410, CVE-2017-14411, CVE-2017-14412, CVE-2018-10776, CVE-2018-10778, CVE-2020-15359, CVE-2021-34085 (CVSS 9.8)
These are mitigated in v1.6.2 when built with system libmpg123, but the Windows download on this project page is v1.2.5, which bundles the vulnerable mpglibDBL.
| Distribution | Version | Patched? |
|---|---|---|
| Debian/Ubuntu | 1.6.2-3 | Yes (most comprehensive) |
| openSUSE | 1.6.2 | Partial (2020 security updates) |
| Fedora | 1.6.2 | Partial |
| Homebrew (macOS) | 1.6.2 | No (links to libmpg123 but no apetag.c patches) |
| SourceForge Windows | 1.2.5 | No |
If upstream maintenance is not feasible, a note directing users to patched distribution packages (e.g., Debian) or alternative tools would help reduce user risk.
WriteMP3GainAPETag (open, patch available from Luigi Baldoni)
Update: I was not aware that the Debian/openSUSE security patches had already been applied to master in commit b0d6a5 (2025-11-01, Bug #62). Thank you Glen for applying those.
To clarify the current status:
Fixed in master (not yet released):
WriteMP3GainAPETagReadMP3APETagWriteMP3GainAPETagapetag.cPossibly also addressed: Bugs #56–#60 (heap-buffer-overflow in
ReadMP3APETag) — the Debian patch addsremainingsize checks and field size validation that may cover these cases, but they were reported with specific PoC files and have not been explicitly confirmed as fixed.Still affected (mpglibDBL, Windows binary only):
The v1.2.5 and v1.3.4 Windows binaries on the Downloads page still bundle mpglibDBL and are vulnerable to the 15 mpglibDBL-related CVEs listed above. These are mitigated when building v1.6.2 from source with system libmpg123.
Remaining suggestions: