CD Projekt RED warns of vulnerability when installing Cyberpunk 2077 mods

CD Projekt Red warns gamers against installing mods or custom save files for Cyberpunk 2077. The developer states that “a vulnerability in external DLLs” could be used to run code on PCs.

The studio reported in a statement to Eurogamer that the issue was raised by a group of members of the game’s community. CD Projekt RED recommends users on Twitter to use ‘no files from unknown sources’. The vulnerability’s discoverer, a Cyberpunk 2077 mod maker named PixelRick, states that it is impossible to trust mods or custom save files until this issue is patched. CD Projekt RED says it will solve the problem ‘as soon as possible’, but does not mention a concrete release date for a hotfix.

PixelRick calls the vulnerability “not hard to find, but difficult to exploit.” The user explains that Cyberpunk 2077 can create a buffer overflow when loading a save file, which can be used to redirect the game to an old dll file that is stored in a fixed location and does not have modern security.

“Essentially, the vulnerability makes a non-executable file executable,” the modmaker told Eurogamer. This can then be used to execute code. According to PixelRick, this happens ‘silently’, after which the real save file is opened without errors. CD Projekt RED released the modtools for Cyberpunk 2077 last week. It is unclear whether the vulnerability is currently being actively exploited on public modding sites such as NexusMods. It is therefore advisable to avoid mods or save files until CD Projekt RED comes up with a solution.