CD Projekt Red is warning players to “use caution” when installing Cyberpunk 2077 mods or custom saves after members of the game's community discovered a vulnerability in how the game connects to your system’s DLL files that could allow creators of mods/crafted saves to take control of your PC at runtime.
Two days ago, Redditor u/Romulus_Is_Here posted a warning to the r/cyberpunkgame subreddit detailing discoveries made by modder and Cyberpunk save editor creator PixelRick. According to the post, “Through the use of a mod or a crafted game save, malicious codes [sic] can be executed to take control of the PC by the creator of the save game/mod.”
The post doesn’t go into too much depth on how the vulnerability works, but has since been updated with an official tweet from CD Projekt Red confirming the weakness' existence and shedding more light onto how it works.
If you plan to use @CyberpunkGame mods/custom saves on PC, use caution. We've been made aware of a vulnerability in external DLL files the game uses which can be used to execute code on PCs. Issue will be fixed ASAP. For now, please refrain from using files from unknown sources.February 2, 2021
The tweet states that the error is in the external DLL files the game uses and says the “Issue will be fixed ASAP.” DLL files are already part of your operating system and can be accessed by external programs to run certain activities, so it seems like the issue here is that malicious mods might use your copy of Cyberpunk as a sort of trojan horse to sneak into your system and gain remote access to its files and activities.
“This issue can be potentially used as part of a remote code execution on PCs,” CDPR told Eurogamer. “We appreciate the input and are working on fixing this as soon as possible. In the meantime, we advise anyone to refrain from using files obtained from unknown sources.”
U/Romulus_Is_Here also warns that PixelRick “has confirmed that the PS4 too is susceptible to this vulnerability to an extent.”
The safest solution here is to not use mods from unverified sources, but until CDPR institutes an official patch, fans have come up with an alternate option. Cyber Engine Tweaks is a well-known fan plug-in from modder Yamashi that aims to fix the game’s notoriously inconsistent performance. In the plug-in’s most recent update, version 1.9.6, Yamashi claims to have fixed the vulnerability, which they reiterate can give “full access to your computer to whoever forged a malicious file.”
Night City is a dangerous place. Stay safe out there, Samurai.
I haven't bought CyberPunk 2077 yet. I very rarely buy games when they are first released because every game will always have bugs that need to be worked out. I don't think it's so much the fault of the developers (though they do have some responsibility), but just the endless amount of combinations in different systems. It would be virtually impossible for them to test on every combination of CPU, GPU, OS, Drivers, resolution, etc. and play through the game in each of these systems to see about finding bugs. Especially something that 'may' happen after 50 hours into the game, when you look at a specific thing, or try to do a certain thing in a specific way, in a certain order, etc, etc.
Reading original Reddit post and based on Nexus site temporary ban on save files, which give it further validity, this exploit originated from CP save bug, which allows delivery of malicious payload through buffer overflow. That can be used to manipulate 3rd party DLLs CP uses. Without that save buffer overflow exploit this vulnerability would be useless. So CDPR is not really off the hook here. Unless it gets proven otherwise.