CVE-2025-54065
BaseFortify
Publication date: 2025-12-03
Last updated on: 2025-12-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zdoom | gzdoom | 4.14.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-913 | The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in GZDoom versions 4.14.2 and earlier involves the ZScript actor state handling, which allows malicious scripts to read arbitrary memory addresses, write constants into the JIT-compiled code section, and redirect control flow by manipulating crafted FState and VMFunction structures. This manipulation can lead to execution of attacker-controlled bytecode, resulting in arbitrary code execution.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with limited privileges to execute arbitrary code within the GZDoom environment. This could lead to unauthorized actions such as compromising the system running GZDoom, executing malicious payloads, or disrupting normal operation.