Overview
CVE-2025-54065 is a high-severity vulnerability affecting GZDoom, a popular feature-centric port for all Doom engine games. This vulnerability, reported on December 3rd, 2025, stems from insecure handling of ZScript actor states and can lead to arbitrary code execution on affected systems. Exploitation of this vulnerability allows attackers to gain complete control over the system running GZDoom.
Technical Details
The vulnerability lies within GZDoom’s ZScript scripting engine, specifically how actor states are handled. Versions 4.14.2 and earlier are vulnerable. The issue arises because ZScript actor state handling allows scripts to perform the following malicious actions:
- Read arbitrary memory addresses.
- Write constants into the JIT-compiled code section.
- Redirect control flow through crafted
FStateandVMFunctionstructures.
An attacker can craft a malicious ZScript that copies FState structures into a writable buffer, modify function pointers and state transitions within those structures, and ultimately cause the execution of attacker-controlled bytecode. This effectively bypasses security measures and grants the attacker the ability to execute arbitrary code with the privileges of the GZDoom process.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigned a score of 7.9 to CVE-2025-54065, indicating a high severity. This score reflects the potential for complete system compromise. The specific CVSS vector would likely indicate exploitation complexity that may require local access or user interaction. Although the specifics depend on how user-provided ZScript content is processed.
Possible Impact
Successful exploitation of CVE-2025-54065 can have severe consequences, including:
- Arbitrary Code Execution: The attacker can execute any code on the victim’s system.
- System Compromise: Full control over the affected system, potentially leading to data theft, malware installation, and other malicious activities.
- Denial of Service: The attacker can crash the game and potentially the entire system.
Mitigation and Patch Steps
The primary mitigation is to update GZDoom to a version later than 4.14.2, which contains the necessary security fixes. Users are strongly advised to download and install the latest version from the official GZDoom website or trusted distribution channels.
As a general security measure, users should exercise caution when running ZScript mods from untrusted sources. Verify the source and integrity of any mods before using them.
