Skip to content

Singleplayer: Lua sandbox escape from mod

Critical
sfan5 published GHSA-663q-pcjw-27cc Aug 12, 2022

Package

No package listed

Affected versions

<=5.5.1

Patched versions

5.6.0

Description

Impact

In single player, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited.
The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system.

Patches

da71e86

Workarounds

None possible (you need to update Minetest or apply the patch)

References

Severity

Critical

CVE ID

CVE-2022-35978

Weaknesses

No CWEs

Credits