CVE-2021-41556

Name of the Vulnerable Software and Affected Versions Squirrel versions 2.2.5 and earlier Squirrel versions 3.x through 3.1

Description The issue allows an out-of-bounds read in the core interpreter, leading to code execution. If a victim executes an attacker-controlled Squirrel script, it is possible for the attacker to break out of the Squirrel script sandbox, even if all dangerous functionality, such as File System functions, has been disabled. An attacker might abuse this bug to target Cloud services that allow customization via Squirrel scripts or distribute malware through video games that embed a Squirrel Engine.

Recommendations For Squirrel versions 2.2.5 and earlier, update to a version later than 2.2.5. For Squirrel versions 3.x through 3.1, update to a version later than 3.1. As a temporary workaround, consider disabling the execution of Squirrel scripts from untrusted sources until a patch is available. Restrict access to the Squirrel Engine to minimize the risk of exploitation.