EUVD-2025-29525

Malicious code in bioql PyPI...

GHSA-X6GV-2RVH-QMP6 m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials

Summary The steam-workshop-deploy github action does not exclude the .git directory when packaging content for deployment and provides no built-in way to do so. If a .git folder exists in the target directory e.g., due to a local Git repo, custom project structure, or via the actions/checkout...

Squirrel Bug Lets Attackers Execute Code in Games, Cloud Services

An out-of-bounds read vulnerability in the Squirrel programming language lets attackers break out of sandbox restrictions and execute arbitrary code within a Squirrel virtual machine VM, thus giving a malicious actor complete access to the underlying machine. Given where Squirrel lives – in games...

Squirrel Sandbox Escape allows Code Execution in Games and Cloud Services

SquirrelLang is an interpreted, open-source programming language that is used by video games and cloud services for customization and plugin development. For example, the extremely popular game Counter-Strike: Global Offensive CS:GO attracts millions of players on a monthly basis and utilizes the...

Valve: Malformed NAV file leads to buffer overflow and code execution in Left4Dead2.exe

Summary In the parsing routines of NAV files which contain the navigation mesh used by the AI for survivor bots, zombies, and the AI director spawning system a buffer overflow exists which can be used to control the EIP register and takeover code execution. Proof-of-Concept 1. Download the attach...