CVE-2022-35978

HIGH

Minetest - Code Injection

Title source: llm

Description

Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds.

Exploits (1)

nomisec WORKING POC

by CanVo · poc

https://github.com/CanVo/CVE-2022-35978-POC

View Code ZIP pw:eip

References (3)

[Release Notes, Vendor Advisory] https://dev.minetest.net/Changelog#5.5.0_.E2.86.92_5.6.0

[Patch, Third Party Advisory] https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13

[Third Party Advisory] https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc

Scores

CVSS v3 7.7

EPSS 0.1452

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L

Classification

CWE

CWE-693

Status published

Affected Products (1)

minetest/minetest < 5.6.0

Timeline

Published Aug 15, 2022

Tracked Since Feb 18, 2026