CDPR says it is working on a fix.
Upon discovering a save file abuse, CD Projekt Red has told players to “be careful” when downloading files of unknown origin for use in Cyberpunk 2077.
In a statement to Eurogamer, CDPR explained something about the nature of the vulnerability:
“A group of community members have reached out to us to raise an issue with the remote DLL files the game uses. This issue could potentially be used as part of running remote code on PCs. We appreciate their input and working on a fix.As soon as possible. In the meantime, we recommend that everyone refrain from using files obtained from unknown sources. Anyone planning to use mods or custom saves for Cyberpunk 2077 should be careful until we release the aforementioned solution. “
Eurogamer Next-Gen News Cast – Should Sony Refund for Control on PS5?
According to PixelRick, a modding community member credited with discovering the problem, the save file vulnerability is “not hard to find because it’s a matter of luck, but [is] tricky to exploit, ”describing it as a“ vulnerability of the game and not a vulnerability of human nature. ”PixelRick provided an in-depth explanation, but here’s an attempt at a simplified overview: when Cyberpunk 2077 reads a save file, it is a buffer overflow. This buffer overflow can be used to redirect the active thread to an old DLL, at a fixed known address that does not have modern protection. Essentially the vulnerability makes a non-executable executable, which ‘any local virus executed “. Additionally, “the created save file may be silent, after closing the popup I open, the real save data will be loaded through the game without errors,” added PixelRick.
“It is the trust system that is being undermined, as you should be able to rely on data file mods to be harmless, and only be skeptical of executables in general.” PixelRick said. “This vulnerability makes it impossible to truly trust a modified data file for this game [the] patch. “
After finding the exploit, PixelRick reported the vulnerability to the Cyberpunk 2077 modding Discord administrator, and the information was passed on to CDPR. A workaround has been created for Cyber Engine Tweaks, a popular modding tool for Cyberpunk 2077, to help users until CDPR could release an official patch. While it doesn’t seem like this exploit has been seen “in the wild” on sites like Nexus Mods so far, it’s probably best to avoid downloading save files until that official fix is rolled out.