LiveActive security incident?Get immediate response
CVE Record

CVE-2017-20205: Valve Source SDK Stack-Based Buffer Overflow RCE

Valve's Source SDK (source-sdk-2013)'s ragdoll model parsing logic contains a stack-based buffer overflow vulnerability.The tokenizer function `nexttoken` copies characters from an input string into a fixed-size stack buffer without performing bounds checks. When `ParseKeyValue` processes a collisionpair rule longer than the destination buffer (256 bytes), an overflow of the stack buffer `szToken` can occur and overwrite the function return address. A remote attacker can trigger the vulnerable code by supplying a specially crafted ragdoll model which causes the oversized collisionpair rule to be parsed, resulting in remote code execution on affected clients or servers. Valve has addressed this issue in many of their Source games, but independently-developed games must manually apply patch.

CriticalCVSS 9.2Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

A flaw in Valve's Source SDK lets an attacker run code on a player's computer or a game server simply by getting them to load a booby-trapped 3D character model. Many official Valve titles have been patched, but games built by independent studios on top of the same SDK must apply the fix themselves, leaving some still exposed.

Executive priority

High priority only if the organization ships, hosts, or relies on Source-engine games or mods; otherwise informational. Where exposure exists, treat as a critical client/server RCE and demand a patched build from each affected game vendor before continued use.

Technical view

The `nexttoken` tokenizer in Source SDK's ragdoll/`ParseKeyValue` logic copies a `collisionpair` rule into a fixed 256-byte stack buffer (`szToken`) without bounds checking, producing a classic CWE-121 stack overflow that can overwrite the saved return address. A crafted ragdoll model triggers the parser and yields remote code execution on Source-engine clients or dedicated servers running unpatched builds derived from `source-sdk-2013`.

Likely exposure

Exposure is concentrated in independently-developed Source-engine games and mods built from `source-sdk-2013` that have not pulled Valve's fix. Players who connect to community servers or load third-party content, and operators of dedicated servers for those titles, are most at risk; corporate environments are unlikely to be directly exposed unless these games are present.

Exploitation context

Per the OneUp Security and VulnCheck advisories, the bug is remotely triggerable by feeding a malicious ragdoll model through normal asset-loading paths, and Valve has shipped fixes to many of its own Source titles. The CVE is not listed in CISA KEV and the bundle does not cite confirmed in-the-wild exploitation, but a public technical write-up exists, raising likelihood of weaponization against unpatched downstream games.

Researcher notes

Vulnerability is CWE-121 in `nexttoken` within ParseKeyValue's collisionpair handling, with the 256-byte `szToken` stack buffer overrun reaching the saved return address. Valve patched first-party titles but `source-sdk-2013` forks must port the change, so audit any downstream repo for the unguarded copy loop. CVSS 4.0 9.2 with AV:N/PR:N/UI:N aligns with a network-reachable, no-auth, no-interaction trigger via asset parsing; AT:P reflects dependence on the victim loading a crafted model.

Mitigation direction

  • Inventory any Source-engine titles or mods built from source-sdk-2013 across endpoints and game servers.
  • For Valve titles, install the latest game updates that incorporate Valve's ragdoll parser fix.
  • For independent Source games, contact the developer and confirm the upstream patch has been merged.
  • Restrict players and servers to trusted content sources until downstream developers ship patched builds.
  • Where feasible, isolate gaming endpoints from sensitive corporate networks and accounts.

Validation and detection

  • Identify installed games or servers whose binaries derive from the source-sdk-2013 codebase.
  • Compare the affected `nexttoken` / `ParseKeyValue` logic against Valve's upstream patched commits referenced by OneUp Security.
  • Check each title's release notes or developer advisory for an explicit CVE-2017-20205 fix statement.
  • Test client and server builds in a lab by loading benign oversized-token models to confirm graceful handling.
  • Monitor crash telemetry on game servers for ragdoll-parser faults that could indicate exploitation attempts.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-121: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2017-20205 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.2 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.2CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NPrimary CVE score

Vulnerability scoring details

Base CVSS 4.0 score

9.2Critical
CVSS 4.0 vector shape for CVE-2017-20205Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Valve SoftwareSource SDK (source-sdk-2013)source-sdk-2013unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-121 · source CWE mapping

Stack-based Buffer Overflow

Stack-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.