#[Updated] Addressing a Security Vulnerability

https://theindiestone.com/forums/index.php?/topic/92297-addressing-a-security-vulnerability/

Update (2026-05-03) - The Legacy branches have been restored with the exception of the 42.13.1 branch which was due to be deleted anyway. The team still needs to patch Build 38's server so it currently will not work, but that should be resolved in the next couple of hours, tomorrow at the latest.

👏🏻

Interesting. Glad the community has the interest and ability to report this properly.

Killed

The modding community is great for this sort of thing. And the reporter was really helpful in resolving this. They aren't mentioned here as we wouldn't mention them without their sign off, but we're in touch with them thanking them.

Great to hear

(Copy/pasting my comment from the reddit post, but figure doesn't hurt to cross-post it here for discussion);

Thanks TIS and @rain girder

Getting advance notice of an imminent patch is fantastic and I really encourage this to become the norm moving forward. We run one of the largest Aus/NZ PZ multiplayer communities and unannounced/unexpected wipes can be quite disruptive as I'm sure you understand.

As best as you're able to share right now, is it likely that MP servers running 42.14.1 will be able to simply update to 42.15.1 without requiring a fresh-wipe? Is there anything changing on the backend in this patch that is likely to necessitate a wipe?

Thanks so much in advance!

It is always recommended to wipe on every new update. It's possible that your save will work, but we can never guarantee that and there are always chances for unexpected bugs. I said something like this similar elsewhere

Every update will break your save. You might not notice the break, but every update will break something

Unstable really isn't designed for long playthroughs. We are in the home stretch of unstable though, and once B42 stable is launched the multiplayer community will be a lot happier.

Thank you kindly!

I’m just wondering if 42.15 is really coming next week as mentioned, because our server is currently affected after running on 42.13.2.

Unless a significant issue is discovered between now and then, it is.

Sully can ya tell us if next week release is aimed for monday or thursday?

https://tenor.com/view/cute-awww-raccoon-gif-24292933

And exactly everything that will be in it

Hehe yes please that'd be nice too

What does home stretch means here? Thanks

Also about 42.16 when??

You know when you really need to pee, and shortly before you finally go through your door and you unbuckle your pants, the first drop already is about to leave your bladder system?
It's that

Home stretch is an English phrase that comes from baseball. When a runner goes from third base to the home plate that is the home stretch. It basically means they are very close to a stable version

I liked mine better

Sweet, thanks guys

It was definitely something

something better

So hopefully home stretch means before 2027 🙏🏻

The real question is, will catters be the sacrificial lamb again?

Security fix is good but servers near top 10 are being extorted and ddosed constantly with no solution provided by hosts or devs

What are the Devs supposed to do about a Hardware/Network issue of the hoster?

genuienly, that is between you and your service provider and if they dont offer any form of ddos protection, you might want to switch away from them

A PSA would be nice or something.. Not fun wakening up to your server being hit offline by Russian pedos that infiltrate groups and distribute csam to members

they did state that servers in general are for small friend groups or invite-only communities...

other than that it's pretty much keeping your own community clean, i really dont see how this is on the devs

I am not blaming the devs, they just gotta get more proactive on this before Zomboid has the same reputation Roblox has for their inaction combating this behavior

Roblox is a service provider with a overarching moderation system, Zomboid is a game with community game servers, more akin to Minecraft, that implement vastly different moderation styles

there really isnt anything a dev can do, report those players to relevant law enforcement and remove them from your community, for network issues talk with your hosting provider and/or switch hosting providers when they dont want to offer basic services

When you host a server and associated communities with it, no data is leaving your system, so you generally take the responsibility to moderate that community and that does include sorting out people not fit for being in any form of community, thats sadly the reality of it

Heyyy I was right, it was related to modding

it was you, wasnt it

Project Rootkitzoid

Project Arbitrary Codezoid

it wasn't I am not that smart, I just have been around the game industry for far too long

You cant predict something like this and you have to act fast on it.

Roblox is a multi billion dollar corporation, TIS is an indie studio. There is a slight difference

yeah, zomboids actually fun

no need to cross that out

Darn there goes my bitcoin mining scheme

We missed a golden opportunity to put a trojan in the horse mod 😔

The “home stretch” is the final part of a race track, the last curve on the way to the finish line. In this context it's used in its figurative sense, which refers to the final effort towards achieving a goal. i.e., they are getting close to moving to stable

"Trojan Horse" -- absolute gold

🐴

are you telling us we almost had an incident like people playground?
🙏 godbless that guy who reported it

No no, stop being positive, don't you understand? Reddit told me to be negative!

"We are in the home stretch of unstable" 👀

https://tenor.com/view/endgame-now-gif-14938794

Sully putting an ETA on 42.15 in there was bold

Very surprising indeed

What happened theres

someone put a virus in a mod that spread to a bunch of other mods
the virus deleted all achievements and saved stuff
it got to a point where they had to disable the workshop

Oh wow that sucks

That's not what happened. A security vulnerability was reported. It was a bad one. We put out an emergency patch and nuked all the old public builds until they can be patched (we are working on that atm).

ah
i was talking about the people playground incident where someone infected half the workshop with a virus

Oh I guess it helps if I read up lol

Wow, that's crazy. That flaw in PZ could cause something like that, but TIS was quick to fix it :)

no worries

How dare they 😥

#1478713600821694524 message

i do kinda wish we'd get a write up what happened when its fully fixed and some time has passed that most people should be on a patched version

It was knoxd up

We won't be going into details. Highlighting a vulnerability, even one that is now patched, bring attention to potential attack vectors

best to be as vague as possible

I'd just assume something went wrong with the lua implementation that allowed code to be run that shouldnt have been possible

but its more about being curios, than any need to know, i enjoy reading up how people find vulnerabilities like this

see the Linux one last year, someone was peeved it took a few ms longer than it should

While I am curious, discussing the nature of a potential cyber attack is a terrible idea

why are the comments on the forums the worst takes known to man

Its kind of funny

did reddit figure out they can create forum accounts?

i read a few of em and its like real people had no part in writing it

There has been a disturbing number of people who wanted us to leave the vulnerability in

my dumbass thought you meant here 😭

yeah i saw that its wild

yes, it was a particular server yesterday too...

We were talking with someone in the modding server who was mad at TIS letting this problem happen despite the fact that this patch made the problem not happen

how the hell do you even have fun on a server with 600 people...

boy dont tell the dude that CVE exists

he might loose his mind at whats out there

I asked him if he was using Windows 11 and he never responded

windows and macos suck
all the OS sucks

You have way more security issues on that than a silly zomboid mod

Dont tell people who insist on using a hundred mods that every update can brick their save, and they get really upset when their save inevitably bricks every update.

can we go back to unstable being used to try out new content early and help the devs by patching bugs

no, i think that ship has sailed

apparenetly people are also review bombing?

not that it'll do much steam will delete em for spam and bonk the accounts

i lost a 8 month world a couple months ago, and i was just excited because of the new patch

The Zomboid communuty has some of the best people ive met online, which is why its so funmy that a masdive portion of the playerbase is so... interesting

spent like 3 hours in debug

macOS - cant play anything
Windows - breaks every update from ai coding

Reveiw bombing bc you fixed a security issue is interesting

i just wish they updated the b42 furry mod i wanna try it 💔

are people actually review bombing

lemme check

theres no shot

There was an attempt but its not going anywhere

Because its stupid

And they should be emberassed

i am gonna censor it, but...

wat

proceeds to play another 6 hours in under 24hours

In all fairness that playstyle isnt for everyone

those are mostly as a joke

people like to "badly" review games they play alot because its funny

How dare you be bitten in a zombie game

Thats one of the more legit negative reveiws buts its more of a difference in taste

they seem to like the game, given their hours

and the post itself is almost certainly sarcastic

i miss the time people actually used reviews to review

and well, guides for that matter

im guessing the censored part is a bad pfp

nah, username, dont wanna be bonked by the moderation

ahh
let me guess its a certain ww2 group

no, i just dont generally want to put people on blast

you dont know whos reading and some people are unhinged

ohh

my bad

i dunno, dont you generally do research before you buy a game?

Like i was on the fence back the pre rona times about this game, because watching friends play it just looked odd, only really after watching a "beginners guide" just showcasing the what feels like 400 different systems working did i really get into it

Can you confirm how many lines there are in the list of changes / bugfixes / fixes , etc. for 42.15.0?

I want the number of BBCode lines of text that you will be posting to the official forums. I just wanted to know the size.

lmao

I feel like that list is probably not finalized haha

1342

Ok nvm lol

Good enough for me.

Larger than 42.14.1 changelog is always great.

Can confirm it is definitely larger than 42.14.1's changelog

Good

I'm happy, content, moisturized, silky, waxed.

ayo

im not sure how i should feel about that

There is more than that on this server and I have fun here

am talking about gameservers

can u confirm if anything new was added

https://tenor.com/view/stupid-baby-stupid-baby-corner-cats-corner-gif-26206322

Keep your expectations low, as theyve said

Are any of the small surprises we had left thet you mentioned coming on .15?

https://tenor.com/view/oceansjonas-bear-in-the-big-blue-house-sniffing-smelling-gif-9077831805310939164

yes... but that's all you get

Good enough to get hyped!

https://tenor.com/view/hop-on-project-zomboid-project-zomboid-gif-27196322

Gosh the first gif for hop on project zomboid is wild

Ugh do i have to wait for ANOTHER update

Lol, i went n looked thanks

Ohhhh

Fair

Tbh large servers can be really fun, you can meet some excellent people

https://tenor.com/view/zomboid-dog-gif-15735278909360391194

Especially if they have a trade hub somewhere where people can show off their wares is pretty cool

https://cdn.discordapp.com/attachments/922001138365128715/1305066970332397669/fb7ad740107977152505068851aa4971.gif

I wanna play Zomboid mp at some point

It's super fun

Its fun , i played and was driving my car down muldrag and stopped and was like man i hope someone doesnt run into me lolsure as shit happened, past 4 hours were quiet

maybe i host a lil invite only server for stable, gonna depend on how motivated i am

Other people in cars sure is a whole new (to me) fun thing to be paranoid about

Especially now that you can get run over as a pedestrian

Yeah lol , i cant wait to get hit by a car

And I'm sure it has nothing to do with big map changes from what's been posted in the #pzwiki_editing chat at all :)
(please I want the map updates soon)

I'd assume thats for the next build, no?

No no, we haven't even gotten the official mapping tools yet

There are still some map updates left, at least for bugs

https://tenor.com/view/asgore-undertale-deltarune-gif-8006577193793263180

Will we receive any new documentation for modders in 42.15? Or is that being saved for. 42s full release?

Okay now I am excited for .15

Just in case, 42.14.1's changelog was very small as it was a hotfix. Any content patch will be bigger than that. Was shitposting. It'll have some new content. I think people will enjoy it. I do. But temper expectations as always

Too late. My expectations could not be higher.
I cannot wait to see the gigabytes of new systems and content that .15 will surely introduce.
I can't believe we are finally getting kangaroos. Knox County has never been more realistic.

https://tenor.com/view/darth-vader-no-noooo-gif-7347380959994097336

Cant believe theyre adding Tokyo as a second map in 42.15

So excited

Everyone knows the north LV bridge connects to southern Tokyo

lmao, were finally going to space?!

careful someones gonna ss and post it somewhere

True!

Cant believe we will finally be getting dental care health update after all these yearsss!

But... Lisa needs braces

"Dental plan!"

Chronic illness update when

has this been fixed

its still gone for me

What part?

the other bulids

like 42.13

They are working their way through the builds applying the patch. I dont think 42.13 is coming back though with 42.15 coming next week

oh so the just took them off

Only the old legacy builds will return like 38, 39 and 40 I think

B42.13 was planned for removal anyway

just wwanted to make sure i didnt get hacked lol

No ur fine haha

yeah true

thank u bro\

The exploit didnt happen, but the possibility of it was pointed out so theyre patching it out

We have put forth an emergency patch to deal with a security vulnerability that was indentified. We fully intend to bring back the legacy builds if possible, however the 42.13 builds were intended to be removed with the next update anyway, so it would not be an efficient use of developer resources to patch those builds.

AAHHH THE UNSTABLE BRANCH IS UNSTABLE ALL OF OUR PCS ARE HACKED EVERYONE RUN AROUND IN CIRCLE AND START SCREAMING IMMEDIATELY!!!!!!!

Oh nvm it's fixed

Good work TIS boys and girls

Im telling reddit

Lmao I read this as the base runner was close to a stable version

https://tenor.com/view/flanders-nighty-night-the-simpsons-goodnight-smother-gif-11548515

Ty

https://tenor.com/view/finally-twilight-vampire-at-last-gif-16732348

@rain girder will there be an update on discord/somewhere when 42.12.3 is patched and live again on Steam? Just wanted to know what to look for when it's added back thanks!
#1478612731882897592 message

Are they bringing back 12.3?

Was that outdatedunstable?

Yeah a tech support dev confirmed it #1478816596150714509 message
I followed up asking about the naming convention of versions but it was in the middle of EU night so unsure at the moment if its "outdatedunstable" currently or something else later tomorrow.
#1478612731882897592 message

I have PZ set to "update when launched" so im holding off on loading the game until its confirmed live

Sully and nasko said outdatedunstable will always be one build behind so when 42.15 comes out 42.14 will go to outdatedunstable

What I'm really curious about is how long 42.12.3 will stay on Steam even after the patch, that dev said their policy is: B41, 1 latest Unstable, 1 previous version Unstable.... but by that logic after 42.15.x drops next week 42.12.3 will be replaced with B42.13.2... whereasin the past theyve seemed to keep like +-3 Unstable branches live + B41. So I dunno, I'm prob gonna end up running that SteamDB Manifest version of B42.12.3 either way as I paly completely offline, -nosteam modded version anyway.

Yeah thats what I was curious theyre saying 42.12.3 is coming back, but who knows how long... despiite them running like what 4x different B42 branches up until this week? I'm gonna test the SteamDB offline version tomorrow and if it works just call it a day on that 9 month save untii B42 Stable fresh wipe.

Just move the files out of steamapp folder, easy

I think to run ProjectZomboid64.exe it still has to handshake with Valve servers one way or the other for DRM stuffs etc no?

no

there is no "drm"

I literally can play any of these

oh snappy

the only thing that it will do is check the workshop on launch if you don't have -nosteam

yeah I run a -nosteam local save

so then you are fine

just move the folder, make your shortcut point to where the files are

Pov you pissed off the Spiffo mafia

Spiffo be praised ❤️

So when they reupload 42.12.3, I should just copy the local /steamapps/common/Project Zomboid/ folder and run the exe from that directory and be gucci??

if you haven't updated it you should already be able to do that

and then just ignore it through steam

or if you want the vulnerability fix then yea you would do that

Well the "dont update until game launch" isnt the same as ZERO updates from the game itself - whenever they push a new branch/delete an old one Steam still pushes a mandatory update even if I dont launch the game. That being said the 1st thing I did when I saw the news was run another full backup of the game, among other backups every ~week or so for my 42.12.3 game iinstall/local mods/saves.

if you move the folder though it will not be able to push that update to it

yeah im not concerned about that as I do not update any mods and dont use any live workshop mods on my SP save... and other general protections outside of gaming.

bah yeah wish i correlated the 2 when it autoupdated

then you should be good to go 🙂

but since theyre saying theyre pushing a security patched 42.12.3 tomorrow anyway, I'll just make sure to copy that /steamapps/ version immediately when it goes live, hence my 1st post wondering if they'll announce its back up/what they'll call it haha

cus im assming the current "outdatedunstalbe" isnt 42.12.3 yet

unless.... they already patched it and didnt say anything haha it would be a very small portion of the playerbase and totally get why they wouldnt say anything to silently patch it

it was 42.13.2 and won't be back to 13.2 again as 15 comes out next week

so it will be 14.1 when they release a new build onto it

not sure why someone with official PZ tags would say otherwise
#1478612731882897592 message

that was from the forum post from sully

now 42.12.3 might return patched, but it won't be under the outdatedunstable branch

it would be it's own seperate one

Yeah totally that what I thought it would be too

they might do the same for 13.2? I am not sure

both Nasko and sully said that, maybe they have more up to date information than Beard

since there's always been like 3-4x B42 branches up til this week

yup yup

Oh you were on Crusader Strike me too

I miss SoD so very much

I also did a full game backup thru Steam's backup option on 02/12/26 and again after this patch was released before I laucnhed the game to update it.. is that the same as copying the local /steamapps/ folder? I only dread what handful of mods I added (that worked on B42.12.3) would still work or not.... or if my save file created after those backups would crash or not iif that makes sense? (I only play with -nosteam mods)

LMFAOOOOOOOOOOO no wayyyy. We were just talking about who we miss SOD sooo much too. Theyre realllllly teasing us with Classic+ lmao

Lolllll 100% I pray they do good things with C+ eventually

I do not believe so, if you restore it would place the files back to a steamapp folder which would then check the server for updates if you launched it that way

but granted I have only used that function once and it was for transfering files between two computers on a network

yeah i jsut checked theyre all just reference files or something

well FINGERS CROSSED they do actually release 42.12.3 on Steam again like that other dev seemed pretttyyyy confident they do, ill do what ya said and just copy he full directroy to another drive and launch it locally not through steam. theres nothing else I need to do for that launch method?

i waited like almost 2 years after B41 to finallllly play again cus i had no idea Stable would be that far off, and knew Id hold on to it until B42 Stable but im in no mans land now of like 6 month save haha

nope just move the folder, and then personally I create a shortcut (as you saw in the picture) for the different launch options

(or felt like 2y lol)

and then you are good to go 🙂

ahh yeah the shortcut is how you add the "-nosteam" perameters outside of steam?

yea -nosteam and ram increase in target

OH GOD yeah

and then personally I do a second one with the same but also -debug as well

so I can do testing

I have mine set to 32GB lmaoo

daaaang loll

I mayyyyy slide into your DMs if they decide not to relaunch 42.12.3 😉

np 🙂

👑

naw but im sure they'll do it just make it a different branch name, and yeah i knew id toss this save after Stable, I still have my priv server set to B41 cus I knew the headache it would be to not wait til B42 Stable... just needed that SP fix and caved like 6mo ago haha

Also Lok'tar, find us if they do C+ 😄

😄 ❤️

totally fair, I was going back and forth for a bit (playing B42 for SP, and then 41 for MP) prior to B42's mp release

still fun, but damn there was stuff I missed every time

Yeah B42 has been massive fun, I'm glad I did it.

small things... like the shout/breathing noises

OH YEAH

I’m only part way through catching up on this thread but I will address some confusion because I think people are confusing 42.12.3 and 42.13.2. 42.12.3 was the 42_12_X branch, this will return. 42.13.2 was on outdatedunstable, which was updated to 42.14.1, and will stay 42.14.1. @slate raptor for clarity.

And when I say it will stay 42.14.1, I don’t mean permanently. It will lag 1 minor update (the middle number) behind unstable

https://tenor.com/view/cute-cat-sad-credit-card-cute-cat-gif-14664045726673709368

lmfao, I love that I keep collecting random cat gifs

lmao love that gif

https://tenor.com/view/do-not-redeem-don't-redeem-scammer-kitboga-do-not-redeem-the-card-gif-11900855712098613254

is it "next week" yet?

surely it is.
get on with it.

https://tenor.com/view/reigen-arataka-reigen-mob-psycho-mob-psycho-100-update-gif-288959226462827428

Because of you, update was delayed by 7 days.

Updated] Addressing a Security Vulnerability

[Updated] Addressing a Security Vulnerability

Legacy branches restored

cool

You're making a reddit post to please the masses, right?

🔥

(they'll still be angry that 42.13 isnt included)

Not a new one. I pinned a comment to the other.

People are already posting

That's true, other people posting about it helps get the word out

Well tell them it was being removed after .15 anyways, which a certain someone ( up 2 ^^) said was coming next week

i wish you the best, sully, may the minor update be bug free

yes, but people seem to have a hardtime understanding that

If they spammed random letters for the lagging behind unstable name, people would be forced to google it lol

Sully when will I find happiness?

When you stop looking for it

Thanks for the clarification!

They're all live now btw (except Build 38 server)

🙏

🫡 thank you for the @ ❤️

That is excellent

i'm not hiding, just had no good reason to show myself. it was a bit of a mess, but you handled it 🙂 so if you guys have an idea to disclose anything, i'm totally fine with it

I take this to mean you were the reporter?

https://tenor.com/view/damn-thats-deep-cody-ko-wade-the-real-bros-of-simi-valley-gif-16476225

https://tenor.com/view/thank-soldiers-gif-24108551

yep

https://tenor.com/view/dont-matter-dont-care-peaceful-laid-back-zen-life-gif-11553527040815409027

@slate raptor notice I didn't post the delay the update gif for these updates

I did indeed notice that lolll

Yeah, I totally didn't just pass out early, I knew what I was doing

Chat is no longer concentrated in 1 chat thread... making it hard to follow.

https://tenor.com/view/yes-sir-yes-boss-military-salute-giving-honor-rip-gif-23161689

Yeah we got 3 now it’s chaos!

2 now. Will probably leave this one up until 42.15 drops just in case there are stragglers looking for information

https://tenor.com/view/skeptical-futurama-fry-hmmm-i-got-my-eyes-on-you-gif-17101711

https://tenor.com/view/twister-movie-heading-right-for-gif-5841340415077396555

I will check it by counting it one by one

so how long until I can play my zomboid

You can play right now

my load is like

not loading

👀

Is it a save from a previous version?

I was playing last night with no issues loading

no like the build I played on got merked

Was it 42.13.2?

dont know

prob

From my understanding that isn't coming back, everything else should be back now

fuhhh

Time for a fresh run I suppose. In the future if you are serious about keeping a run going on a specific version copy the PZ folder out of the steamapps location and launch it manually, it will not be able to self update in that case

yeah I hope they make it so previous saves can be reloaded

Doesn't look like it will be

trust bro we got this

Im sure bro

oh no security vulnerability

will pc get exploded to bits

N3na3

oh hello InsOmniumWOlf

https://nohello.net/en/

https://tenor.com/view/megan-soo-dog-meme-funny-dog-meme-gif-14413441628212659223

https://tenor.com/view/project-zomboid-project-zomboid-gif-12032282095065498222

He cuts the bandage with his teeth right?

god forbid someone is friendly

he's calling me out for having it in my about me section 🥴

lol yeah I’m just messing with N3na3 (hello N3na3)

hmph i've already said my salutations, (omghiinsomniumwolf)

hello i don't see the unstable 42.14.1 into the properties, how i play the unstable?

Its just the main unstable option in the betas