Counter-Strike 2 Patch Fixes HTML Injection Exposing Player IP Addresses

By Ava McKinneyOnline Safety

Valve Fixes HTML Injection Vulnerability in Counter-Strike 2

Valve has addressed an HTML injection issue in Counter-Strike 2 (CS2) that previously allowed players to expose the IP addresses of others. The vulnerability was actively exploited to insert images into the game, which could then be used to determine the IP addresses of other players.

Details of the Vulnerability

Initially, this flaw was thought to be a more serious XSS (Cross-Site Scripting) issue, which would have allowed the execution of JavaScript code on the client side. However, further analysis revealed that it was limited to HTML injection, enabling the insertion of images into the game interface.

Counter-Strike 2 uses Valveโ€™s Panorama UI, which relies on CSS, HTML, and JavaScript. This system allowed input fields to accept and render HTML without converting it to plain text. As a result, any HTML entered into these fields would be rendered as actual HTML in the game.

How the Exploit Worked

Players began reporting that some users were abusing this HTML injection flaw to insert images into the voting panel used for kicking players from matches. While many used the exploit for harmless pranks, some leveraged it to reveal the IP addresses of other players in the match. This was done by embedding an <img> tag that loaded a remote IP logger script, capturing the IP addresses of anyone who viewed the voting panel.

With these IP addresses, attackers could potentially launch DDoS attacks against players, forcing them to disconnect from matches.

Valveโ€™s Response and Patch

Valve released a small 7 MB patch to fix the issue. Now, any HTML entered into input fields is converted to plain text, so HTML code is displayed as a regular string rather than being rendered. This effectively neutralizes the exploit, as shown in the screenshot below:

  • HTML injection is no longer possible in voting panels or other input fields.

Previous Similar Vulnerabilities

A similar bug was found and fixed in the Panorama UI of Counter-Strike: Global Offensive in 2019. That vulnerability also allowed HTML injection in voting panels, but it could be used to execute JavaScript, making it a full XSS vulnerability capable of remote code execution.

Leave a Reply