CVE-2025-54065
- Source
- https://cve.org/CVERecord?id=CVE-2025-54065
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54065.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-54065
- Aliases
-
- GHSA-prhc-chfw-32jg
- Published
- 2025-12-03T17:02:56.603Z
- Modified
- 2025-12-05T10:19:45.479888Z
- Severity
-
- 7.9 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- GZDoom engine allows arbitrary code execution via ZScript actor states
- Details
-
GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54065.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-913" ] }- References
Affected packages
Git / github.com/zdoom/gzdoom
Affected versions
2.*
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.2.0
2.3.0
2.3.1
2.5.0
2.5pre
2.7.0
2.8.0
2.8.9999
2.8pre
2.9pre
G1.*
G1.9pre
Other
ci_deps
notok#2
ok3
test_1
g2.*
g2.0.01pre
g2.1.pre
g2.1pre
g2.2pre
g2.3pre
g2.4pre
g3.*
g3.0pre
g3.2pre
g3.3pre
g3.4pre
g3.5pre
g3.6pre
g3.7pre
g3.8pre
g4.*
g4.10pre
g4.11pre
g4.12pre
g4.13pre
g4.14.1
g4.14.2
g4.14pre
g4.15pre
g4.1pre
g4.2pre
g4.3pre
g4.4pre
g4.5pre
g4.6pre
g4.7.0pre
g4.8pre
g4.9pre