Impact
If at least one mod makes use of the insecure environment (access is granted via secure.trusted_mods), then a different, untrusted mod can use the async environment to receive access to the insecure environment by posing as the other mod.
The "insecure environment" refers to the unsandboxed Lua environment and allows full file system and command line access.
Patches
cb5fa56
On release versions you can also patch this issue without recompiling by editing builtin/async/game.lua and adding the following line at the end:
core.request_insecure_environment = nil
Workarounds
If feasible, disable access to the insecure environment for all mods by clearing the secure.trusted_mods setting.
References
#14370
sfan5 Finder
Impact
If at least one mod makes use of the insecure environment (access is granted via
secure.trusted_mods), then a different, untrusted mod can use the async environment to receive access to the insecure environment by posing as the other mod.The "insecure environment" refers to the unsandboxed Lua environment and allows full file system and command line access.
Patches
cb5fa56
On release versions you can also patch this issue without recompiling by editing
builtin/async/game.luaand adding the following line at the end:Workarounds
If feasible, disable access to the insecure environment for all mods by clearing the
secure.trusted_modssetting.References
#14370