CDPR says it is working on a correction.
Following the discovery of a file-saving exploit, CD Projekt Red told players to “be careful” when downloading files of unknown origin for use in Cyberpunk 2077.
In a statement to Eurogamer, CDPR explained a little about the nature of the vulnerability:
“A group of community members contacted us to raise an issue with the external DLL files the game uses. This issue could potentially be used as part of remote code execution on PCs. We appreciate your contribution and are working to fix this as soon as possible. In the meantime, we advise everyone to avoid using files obtained from unknown sources. Anyone planning to use custom mods or saves for Cyberpunk 2077 should be careful until we release the fix mentioned. “
Eurogamer Next-Gen news cast – Should Sony issue refunds for the PS5 controller?
According to PixelRick, a member of the modding community, who is responsible for discovering the problem, the vulnerability of the saved file “is not difficult to find, as it is a matter of luck, but [is] complicated to exploit, “describing it as a” vulnerability of the game and not a vulnerability of human nature. “PixelRick provided a detailed explanation, but here’s an attempt at a simplified overview: when Cyberpunk 2077 reads a rescue file, it can create a buffer overflow. This buffer overflow can be used to redirect the running thread to an old DLL, at a known fixed address that has no modern protection. In essence, the vulnerability makes an executable file non-executable, which it can perform “any virus running locally”. In addition, “the saved file created can be silent, after closing the pop-up that I open, the actual data from the saved file is loaded by the game without errors,” added PixelRick.
“It is the trust system that is undermined, since you should be able to trust that data file mods are harmless and only be skeptical of executables in general.” PixelRick said. “This vulnerability makes it impossible to really trust any data files modified for this game until [the] fragment.”
After finding the exploit, PixelRick reported the vulnerability to the Cyberpunk 2077 modding Discord administrator, and the information was passed on to CDPR. A temporary fix was created for Cyber Engine Tweaks, a popular modding tool for Cyberpunk 2077, to help users until CDPR could release an official patch. Although so far it appears that this exploit has not been discovered “on the loose” on sites like Nexus Mods, it is probably best to avoid downloading saved files until the official fix is released.