Squirrel Engine Vulnerability Threatens Millions of CS:GO Fans

A recent code quality audit of the Squirrel Engine framework has uncovered a vulnerability that could allow attackers to escape the sandbox (VM) and take control of a server. Although the issue has already been addressed, a stable version with the patch has not yet been released.

The Squirrel scripting language is widely used in video games and cloud services for customization and plugin development. The Squirrel Engine framework, for example, enables the massive communities of Portal 2 and Counter-Strike: Global Offensive to create and share their own mods and maps. Squirrel scripts are also used on IoT platforms (such as Electric Imp Cloud) and in distributed data processing (like Enduro/X).

The vulnerability, identified as CVE-2021-41556, was discovered in the Squirrel Engine static library by auditors from the Swiss company SonarSource. According to their report, the root cause is a buffer over-read error that occurs when executing untrusted code.

This flaw allows attackers to break out of the Squirrel virtual machine and gain access to the computer running it. For example, a malicious actor could embed a harmful Squirrel script into a CS:GO map and upload it to the Steam Workshop for public use. The exploit would trigger when someone downloads the infected item, giving the attacker full control over the victim’s server.

The vulnerability has been confirmed in Squirrel versions 2.x and 3.x (the latest official release, 3.1, came out in 2016). The Squirrel Engine developers have made the necessary changes to the source code on GitHub, but these fixes have not yet been included in the stable branch. Users who rely on Squirrel scripts are advised to recompile their products using the published patches.