Security readout for executives and security teams
Plain-English summary
A flaw in Valve's Source SDK lets an attacker run code on a player's computer or a game server simply by getting them to load a booby-trapped 3D character model. Many official Valve titles have been patched, but games built by independent studios on top of the same SDK must apply the fix themselves, leaving some still exposed.
Executive priority
High priority only if the organization ships, hosts, or relies on Source-engine games or mods; otherwise informational. Where exposure exists, treat as a critical client/server RCE and demand a patched build from each affected game vendor before continued use.
Technical view
The `nexttoken` tokenizer in Source SDK's ragdoll/`ParseKeyValue` logic copies a `collisionpair` rule into a fixed 256-byte stack buffer (`szToken`) without bounds checking, producing a classic CWE-121 stack overflow that can overwrite the saved return address. A crafted ragdoll model triggers the parser and yields remote code execution on Source-engine clients or dedicated servers running unpatched builds derived from `source-sdk-2013`.
Likely exposure
Exposure is concentrated in independently-developed Source-engine games and mods built from `source-sdk-2013` that have not pulled Valve's fix. Players who connect to community servers or load third-party content, and operators of dedicated servers for those titles, are most at risk; corporate environments are unlikely to be directly exposed unless these games are present.
Exploitation context
Per the OneUp Security and VulnCheck advisories, the bug is remotely triggerable by feeding a malicious ragdoll model through normal asset-loading paths, and Valve has shipped fixes to many of its own Source titles. The CVE is not listed in CISA KEV and the bundle does not cite confirmed in-the-wild exploitation, but a public technical write-up exists, raising likelihood of weaponization against unpatched downstream games.
Researcher notes
Vulnerability is CWE-121 in `nexttoken` within ParseKeyValue's collisionpair handling, with the 256-byte `szToken` stack buffer overrun reaching the saved return address. Valve patched first-party titles but `source-sdk-2013` forks must port the change, so audit any downstream repo for the unguarded copy loop. CVSS 4.0 9.2 with AV:N/PR:N/UI:N aligns with a network-reachable, no-auth, no-interaction trigger via asset parsing; AT:P reflects dependence on the victim loading a crafted model.
Mitigation direction
- Inventory any Source-engine titles or mods built from source-sdk-2013 across endpoints and game servers.
- For Valve titles, install the latest game updates that incorporate Valve's ragdoll parser fix.
- For independent Source games, contact the developer and confirm the upstream patch has been merged.
- Restrict players and servers to trusted content sources until downstream developers ship patched builds.
- Where feasible, isolate gaming endpoints from sensitive corporate networks and accounts.
Validation and detection
- Identify installed games or servers whose binaries derive from the source-sdk-2013 codebase.
- Compare the affected `nexttoken` / `ParseKeyValue` logic against Valve's upstream patched commits referenced by OneUp Security.
- Check each title's release notes or developer advisory for an explicit CVE-2017-20205 fix statement.
- Test client and server builds in a lab by loading benign oversized-token models to confirm graceful handling.
- Monitor crash telemetry on game servers for ragdoll-parser faults that could indicate exploitation attempts.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-121: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2017-20205 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.2 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N——Primary CVE scoreVulnerability scoring details
Base CVSS 4.0 score
9.2CriticalVector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Source materials
- CVE List V5 sourceCVE List V5
- https://www.oneupsecurity.com/research/remote-code-execution-in-source-games/CVE reference · technical-description, patch
- https://github.com/ValveSoftware/source-sdk-2013CVE reference · product
- https://www.vulncheck.com/advisories/valve-source-sdk-stack-based-buffer-overflow-rceCVE reference · third-party-advisory
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Stack-based Buffer Overflow
Stack-based Buffer Overflow represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
