Cyberpunk 2077 players told to “use caution” with mods and custom saves after exploit discovered

Following the discovery of a save file exploit, CD Projekt Red has told players to “use caution” when downloading files of unknown origin for use in Cyberpunk 2077.

In a statement to Eurogamer, CDPR explained a little about the nature of the vulnerability:

“A group of community members reached out to us to bring up an issue with the external DLL files the game uses. This issue can be potentially used as part of a remote code execution on PCs. We appreciate their input and are working on fixing this as soon as possible. In the meantime, we advise everyone to refrain from using files obtained from unknown sources. Anyone who plans to use mods or custom saves for Cyberpunk 2077 should use caution until we release the aforementioned fix.”

According to modding community member PixelRick, who is credited with discovering the issue, the save file vulnerability is “not hard to find as it is a matter of luck, but it [is] tricky to exploit,” describing it as a “vulnerability of the game and not a vulnerability of human nature”. PixelRick provided an in-depth explanation, but here’s an attempt at a simplified overview: when Cyberpunk 2077 reads a savefile it can create a buffer overflow. This buffer overflow can be used to redirect the running thread to an old DLL, at a fixed known address that doesn’t have modern protection. In essence the vulnerability makes a non-executable file executable, which could carry out “any locally executed virus”. On top of that, “the crafted save file can be silent, after closing the popup I open, the real savefile data is loaded by the game without errors,” PixelRick added.

“It is the trust system that is undermined since you should be able to trust data file mods to be harmless, and only be sceptical about executables in general.” PixelRick said. “This vulnerability makes it impossible to really trust any modded data file for this game until [the] patch.”

After finding the exploit, PixelRick reported the vulnerability to the admin of the Cyberpunk 2077 modding Discord, and the information was passed to CDPR. A temporary fix was created for Cyber Engine Tweaks, a popular modding tool for Cyberpunk 2077, to tide users over until CDPR could issue an official patch. While so far it seems this exploit has not been spotted “in the wild” on sites like Nexus Mods, it’s probably best to avoid downloading save files until that official fix is rolled out.