CD Projekt Red is warning players to “use caution” when installing Cyberpunk 2077 mods or custom saves after members of the game's community discovered a vulnerability in how the game connects to your system’s DLL files that could allow creators of mods/crafted saves to take control of your PC at runtime.
Two days ago, Redditor u/Romulus_Is_Here posted a warning to the r/cyberpunkgame subreddit detailing discoveries made by modder and Cyberpunk save editor creator PixelRick. According to the post, “Through the use of a mod or a crafted game save, malicious codes [sic] can be executed to take control of the PC by the creator of the save game/mod.”
The post doesn’t go into too much depth on how the vulnerability works, but has since been updated with an official tweet from CD Projekt Red confirming the weakness' existence and shedding more light onto how it works.
If you plan to use @CyberpunkGame mods/custom saves on PC, use caution. We've been made aware of a vulnerability in external DLL files the game uses which can be used to execute code on PCs. Issue will be fixed ASAP. For now, please refrain from using files from unknown sources.February 2, 2021
The tweet states that the error is in the external DLL files the game uses and says the “Issue will be fixed ASAP.” DLL files are already part of your operating system and can be accessed by external programs to run certain activities, so it seems like the issue here is that malicious mods might use your copy of Cyberpunk as a sort of trojan horse to sneak into your system and gain remote access to its files and activities.
“This issue can be potentially used as part of a remote code execution on PCs,” CDPR told Eurogamer. “We appreciate the input and are working on fixing this as soon as possible. In the meantime, we advise anyone to refrain from using files obtained from unknown sources.”
U/Romulus_Is_Here also warns that PixelRick “has confirmed that the PS4 too is susceptible to this vulnerability to an extent.”
The safest solution here is to not use mods from unverified sources, but until CDPR institutes an official patch, fans have come up with an alternate option. Cyber Engine Tweaks is a well-known fan plug-in from modder Yamashi that aims to fix the game’s notoriously inconsistent performance. In the plug-in’s most recent update, version 1.9.6, Yamashi claims to have fixed the vulnerability, which they reiterate can give “full access to your computer to whoever forged a malicious file.”
Night City is a dangerous place. Stay safe out there, Samurai.