Buffer Overflow Vulnerability in Valve's Source SDK Affects Game Security
CVE-2017-20205

9.2CRITICAL

Key Information:

Vendor

Valve Software

Status
Source Sdk (source-sdk-2013)
Vendor
CVE Published:
15 October 2025

What is CVE-2017-20205?

Valve's Source SDK (source-sdk-2013) is susceptible to a stack-based buffer overflow due to insufficient bounds checking in the tokenizer function nexttoken. When the ParseKeyValue function processes a collisionpair rule that exceeds the fixed-size buffer limit of 256 bytes, it can lead to stack memory corruption. An attacker can exploit this vulnerability by supplying maliciously crafted ragdoll models, enabling potential remote code execution on both client and server environments. Although Valve has issued fixes for many of their games, developers of independently created games are required to implement patches manually to mitigate this vulnerability.

Affected Version(s)

Source SDK (source-sdk-2013) source-sdk-2013

References

https://www.oneupsecurity.com/research/remote-code-execut...
technical-descriptionpatch
https://github.com/ValveSoftware/source-sdk-2013
product
https://www.vulncheck.com/advisories/valve-source-sdk-sta...
third-party-advisory

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

One Up Security, LLC
JSON
.
CVE-2017-20205 : Buffer Overflow Vulnerability in Valve's Source SDK Affects Game Security