| Version Range | Supported |
|---|---|
| Latest | Yes |
| Older | No |
Security fixes are applied only to the latest released version. Users are strongly encouraged to upgrade.
Please report security vulnerabilities via GitHub Security Advisories.
Do not open public issues for security-related reports.
When reporting, include:
- Affected versions
- Detailed reproduction steps
- Proof-of-concept (if available)
- Impact assessment
- Initial acknowledgment: within 48 hours
- Triage and assessment: within 3–5 days
- Critical issues: < 7 days
- High severity: < 14 days
- Medium/Low: best effort
-
Critical
- Arbitrary code execution through instrumentation
- Unsafe class loading leading to sandbox escape
-
High
- Privilege escalation via agent misuse
- Bypassing intended constraints in bytecode generation
-
Medium
- Denial of service via malformed bytecode
- Stability issues impacting runtime safety
-
Low
- Edge-case validation issues
- Non-exploitable incorrect behavior
- Vulnerabilities are handled via private coordination
- Fixes are developed and validated before disclosure
- Public disclosure occurs after a fix is available
Advisories will include:
- Affected versions
- Description of impact
- Mitigation steps
- Upgrade guidance
- Restrict use of Java agents in production environments
- Validate class loaders and transformation targets
- Keep Byte Buddy updated to the latest version
- Avoid exposing instrumentation capabilities to external users
Byte Buddy repackages ASM internally to avoid dependency conflicts.
Users should still monitor:
- JVM-level vulnerabilities
- Build and runtime environments
- Dependency scanning results in their own systems
Byte Buddy is safe to use as a regular library for class generation and extension when used within trusted code. The primary risks arise from features that allow modification of existing code or execution of injected logic.
Java agents can transform or redefine classes at runtime and operate with the full privileges of the hosting JVM.
Risks
- Injection of arbitrary code into application classes
- Modification of security-sensitive logic
- Full process compromise if misused or exposed
Guidance
- Do not allow untrusted agents
- Restrict agent attachment in production environments
Byte Buddy can be used in build tools to modify bytecode during compilation or packaging.
Risks
- Execution of malicious code during build
- Supply chain compromise via untrusted plugins or dependencies
Guidance
- Only use trusted plugins and dependencies
- Verify build integrity and dependency sources
- Regular library usage is considered safe under normal conditions
- The main security risks stem from code injection capabilities, especially via agents and build-time instrumentation