CD Projekt Red warns gamers against installing mods or custom save files for Cyberpunk 2077. The developer states that “a vulnerability in external DLLs” can be used to run code on PCs.
The studio reports in a statement Eurogamer that the issue was raised by a group of members from the game’s community. CD Projekt RED recommends users on Twitter not to use files from unknown sources. The vulnerability discoverer, a Cyberpunk 2077 modmaker called PixelRick, argues that it is impossible to trust mods or custom save files until this issue is patched. CD Projekt RED says it will fix the problem ‘as soon as possible’, but does not specify a specific release date for a hotfix.
PixelRick calls the vulnerability ‘not difficult to find, but difficult to exploit’. The user explains that Cyberpunk 2077 can create a buffer overflow when loading a save file, which can be used to redirect the game to an old DLL that is stored in a fixed location and has no modern security.
“In essence, the vulnerability makes a non-executable file executable,” the modmaker reports to Eurogamer. Code can then be executed with it. According to PixelRick, this happens ‘quietly’, after which the real save file opens without errors. CD Projekt RED brought the modtools for Cyberpunk 2077 last week from. It is unclear whether the vulnerability is currently being actively exploited on public modding sites like NexusMods. It is therefore advisable to avoid mods or save files until CD Projekt RED comes up with a solution.
–