Fortunately we only have stable lilypond version 2.18.2, I'm waiting patiently for 2.20.0 which shouldn't have this vulnerability.