metaclean is a privacy tool: its worst-case failure is reporting a file as "clean" when removable metadata actually survived, or mishandling a file it overwrites. Reports of either — or of any vulnerability in metaclean itself — are welcome.
Please do not open a public issue for security reports.
Use GitHub's private vulnerability reporting for this repository (the Security tab → Report a vulnerability). If that is unavailable, contact the maintainer privately via their GitHub profile (@26zl).
Please include:
- the file type and a minimal way to reproduce (use
--dry-runif you can't share the file); - the metaclean version and the detected exiftool/mat2/qpdf/ffmpeg versions
(
metaclean --version); - your OS and Ruby version.
We aim to acknowledge reports within a few days.
metaclean shells out to ExifTool, mat2, qpdf, and ffmpeg, which parse hostile binary formats and have had CVEs of their own. Vulnerabilities in those tools should be reported to their respective projects — keep them updated. metaclean's own scope is the wrapper logic: path handling and argument-injection guards, the strip/verify pipeline, the "never write a file we can't verify is clean" guarantee, and the atomic in-place write/backup.
metaclean follows Semantic Versioning. Only the latest released version receives fixes.