To report a security vulnerability, open a issue and attach the Vulnerability tag. Then describe what the security issue is and how you fix it. If you want (not required), you could open a pull request (again attaching the Vulnerability tag) with your changes.