Screeps: World updated after alleged remote-code exploit, developers dispute claims

Kotaku reports that Screeps, LLC updated Screeps: World "in order to protect both players" and their "own reputation" after the discovery of an alleged "remote code execution vulnerability" that would enable players to take control of other players' computers. Security researcher Isaac King posted on X that the game allowed "any other player in the game world to gain remote access to your computer," and published a detailed write-up on his blog explaining the exploit and offering an analogy for non-programmers.

Screeps: World is a programming game that lets players write JavaScript to control AI units. King says the developers were aware of the issue since July 2024, when a developer replied on GitHub that they "do not see this as a serious security threat," and a user on the game's Discord noted the vulnerability had been abused in the past.

The game currently sits at a "Very Positive" Steam score with roughly 1,876 reviews and, according to VG Insights, more than 113,000 purchases. The game's official X account called the accusation "at the very least, a clickbait exaggeration, and at worst, malicious defamation intended to cause reputational damage," and said the alleged vulnerability had been removed from Screeps: World as of January 25.

Key Topics

Tech, Screeps World, Screeps Llc, Isaac King, Remote Code Execution, Javascript