The ChucK project includes code associated with a known vulnerability (CVE).

[mariamarutunian]

A vulnerability identified as CVE-2014-9756 was discovered and fixed in libsndfile project with the following commit: libsndfile/libsndfile@725c7db. Which amended the "psf_fwrite" function located in src/file_io.c file.
ChucK project contains an identical "psf_fwrite" function in the src/core/util_sndfile.c file, which has not been fixed.

The bug was reported by a tool developed by the CAST: Static Analysis team during the DevHacks hackathon.