RPG Maker MV and MZ Have a Critical OS Command Injection Vulnerability
The vulnerability affects all current versions of two widely used game development tools, leaving a large number of user-created games and their players at risk until a fix arrives.
Key Facts
- Japan Vulnerability Notes disclosed a vulnerability in RPG Maker MV and MZ on June 30 that allows arbitrary OS command execution via a malicious save file.
- Gotcha Gotcha Games has not released a patch and instead warns users to only load games, saves, and assets from trusted sources.
- The affected versions are RPG Maker MV 1.6.3 and earlier, and RPG Maker MZ 1.10.0 and earlier.
- The company recommends players use only save data they created themselves and avoid files from social media, file-sharing services, or unknown third parties.
- The vulnerability is tracked as JVN#69681784.
Reporting from 1 source: Automaton.
Japan Vulnerability Notes reported a vulnerability in RPG Maker MV and MZ that allows arbitrary OS command execution via crafted save data. Developer Gotcha Gotcha Games has warned users not to load games, saves, or assets from untrusted sources. No patch has been released yet.
Japan Vulnerability Notes disclosed a vulnerability in RPG Maker MV and MZ on June 30 that could let an attacker execute arbitrary OS commands by loading a malicious save file. Gotcha Gotcha Games, the developer of the tools, responded with a warning rather than a patch: users should only load games, save data, and assets they trust. The affected versions are RPG Maker MV 1.6.3 and earlier, and RPG Maker MZ 1.10.0 and earlier. Since no update has been released, the company recommends players use only save data they created themselves and avoid files from social media, file-sharing services, or unknown third parties. The vulnerability is tracked as JVN#69681784.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.