CVE-2024-54756

CVE-2024-54756 is a remote code execution (RCE) vulnerability affecting the ZScript function in ZDoom Team GZDoom version 4.13.1. The flaw allows attackers to execute arbitrary code by supplying a crafted PK3 file that contains a malicious ZScript source file. It has been assigned a CVSS v3.1 base score of 9.8, indicating critical severity, and is associated with CWE-94 (Improper Control of Generation of Code).

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U). Any unauthenticated attacker can leverage this by delivering the malicious PK3 file, potentially gaining full control over the affected GZDoom instance.

References include a proof-of-concept (PoC) exploit at https://github.com/Chainmanner/GZDoom-Arbitrary-Code-Execution-via-ZScript-PoC and disclosures on the Full Disclosure mailing list at https://seclists.org/fulldisclosure/2025/Feb/11 and http://seclists.org/fulldisclosure/2025/Feb/11. No specific patch or mitigation details are detailed in the provided CVE information.