Earlier this week, Cyberpunk 2077 developers CD Projekt Red warned players about a security vulnerability that existed when installing some mods or custom save files after some modders themselves warned CDPR about it. They said they'd get on patching that up right quick and as of today it has been. They've put out hotfix 1.12 to make your modding experience safe, or at least safer, again.
It's quite a short changelog, as presumably CDPR were looking to get this particular issue solved quickly. "This update addresses the vulnerability that could be used as part of remote code execution (including save files)," they say in the patch notes. They've "fixed a buffer overrun issue," and "removed/replaced non-ASLR DLLs."
As a refresher on what was going on, CDPR explained to Eurogamer earlier this week:
"This issue can be potentially used as part of a remote code execution on PCs. We appreciate their input and are working on fixing this as soon as possible. In the meantime, we advise everyone to refrain from using files obtained from unknown sources. Anyone who plans to use mods or custom saves for Cyberpunk 2077 should use caution until we release the aforementioned fix."
The modder credited with identifying the vulnerability has explained in a post that "Although executable mods will always be potentially dangerous, asset archives and save files always look harmless(because they SHOULD be as harmless as text files). This vulnerability impacts mods of these data files and make them execute arbitrary code when loaded by the game." There's a much longer explanation of exactly which kinds of mods could be used to exploit this vulnerability in the main post as well.
With this hotfix out and downloaded it's at least slightly safer to go back to installing your mods of choice and sharing save files. Probably. Unless something else major comes up.
If you happen to be shopping around for some, RPS has you covered with a list of the best Cyberpunk 2077 mods.