CVE-2025-54065 in GZDoom
Summary
by MITRE • 12/03/2025
GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/04/2025
CVE-2025-54065 represents a critical vulnerability in GZDoom versions 4.14.2 and earlier, where ZScript actor state handling contains a fundamental flaw in memory management and code execution control. This vulnerability stems from improper validation of FState and VMFunction structures within the scripting engine, allowing malicious actors to manipulate the virtual machine's execution flow through carefully crafted state transitions. The flaw exists in the JIT-compiled code section where attacker-controlled data can be written to memory locations that are normally protected, creating a path for arbitrary code execution. The vulnerability is classified under CWE-787, which describes out-of-bounds write vulnerabilities, and specifically relates to improper access control in virtual machine implementations. The technical implementation involves the manipulation of function pointers within FState structures that are copied into writable buffers, enabling attackers to redirect execution flow and inject malicious bytecode directly into the running process.
The operational impact of this vulnerability is severe as it allows remote code execution without requiring user interaction or elevated privileges. An attacker can craft malicious scripts that exploit the state handling mechanism to overwrite critical function pointers and redirect control flow to attacker-controlled code sections. This enables full system compromise and allows adversaries to execute arbitrary commands with the privileges of the affected application. The vulnerability's exploitation pathway follows ATT&CK technique T1059.007 for script execution and T1068 for local privilege escalation, as the attacker can leverage the JIT compilation process to inject and execute malicious code. The flaw affects the core ZScript engine that handles actor behavior in the Doom engine, meaning any game content that utilizes scripted actors could be exploited, including custom maps, mods, and user-generated content that relies on the scripting system.
Mitigation strategies for CVE-2025-54065 should focus on immediate patching of GZDoom to version 4.14.3 or later, which contains the necessary fixes for the ZScript state handling mechanism. System administrators should implement strict content validation for all user-generated scripts and maps, particularly those that may be loaded from untrusted sources. The recommended approach includes disabling scripting capabilities in production environments where possible, implementing sandboxing measures for script execution, and monitoring for suspicious script activity. Additionally, memory protection mechanisms such as data execution prevention and address space layout randomization should be enabled to reduce the effectiveness of exploitation attempts. Organizations should also consider implementing network segmentation to limit the potential attack surface and establish incident response procedures specifically targeting code injection vulnerabilities in game engines. The fix addresses the root cause by implementing proper bounds checking and memory access validation for FState structures during the JIT compilation process, preventing unauthorized modifications to the code section while maintaining legitimate scripting functionality.