The number of constant pool items in a class file must be less than 0x10000 (short integer), but the ConstPool class allows a client program to add more items than that. Omer Kaspi from JFrog Security Research via his manager informed me that this could be vulnerability. Although we could not find any realistic attacking scenarios and a risk of this "vulnerability" is very low, I have fixed this problem and released a fixed version as 3.29.1-GA. This version is already available from maven.