Remediation for Vulnerable Libraries with known Security Issues

This information is intended for developers with app(s) that contain one or more Java or JavaScript libraries with known security issues (e.g., common vulnerabilities and exposures - CVEs). Although unintended by the app developer, including such vulnerable libraries in an app can put app users at risk. A list of detected unsafe libraries and their locations can be found in the Play Console notification for your app.

How to fix “Vulnerable libraries with known security issues” alerts

To resolve this issue, you can take one of the following three actions for each detected unsafe library:

  1. Use an up-to-date version of the library: If the app has a direct dependency on the detected unsafe version of a library, and the security issue has been resolved in the latest version of that library, rebuilding the app with the latest version will resolve the issue.

  2. Contact the library developer: It is possible that the library is still maintained but the security issue has not yet been fixed. It is also possible that the app has a transitive dependency on the detected unsafe library (i.e., the app directly depends on a library, which in turn depends on the unsafe library). Under such circumstances, contact the library developer to fix the issue.

  3. Find an alternative: If the unsafe library with one or more security issues is no longer maintained, please find and use a safe alternative library.

Next steps

  1. Update your app using the steps highlighted above.

  2. Sign in to your Play Console and submit the updated version of your app.

Your app will be reviewed again; if the app has not been updated correctly, you will still see the warning. This process can take several hours.

We’re here to help

If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”

Was this helpful?
How can we improve it?