Today we’re looking at a vulnerability discovered in GameMaker, the game development tool that streamlines and simplifies game dev for all users, regardless of skill level.

The vulnerability in question (CVE-2025-12501) can lead to application crashes through denial-of-service attacks (DoS). Our team was notified about the vulnerability through an external researcher as part of our ongoing collaboration with security experts. It was quickly addressed, and resolved in a timely fashion.

GameMaker users who use the network_create_server() function in their projects  are urged to update and recompile immediately.

The vulnerability: CVE-2025-12501 explained

The core of this vulnerability lies within the network_create_server() function, a commonly used component for implementing network functionality in GameMaker projects. Specifically, it has been found to be susceptible to an integer overflow crash when processing malformed or oversized packets. An attacker could exploit this by sending a specially crafted packet to the server, causing the GameMaker application to terminate unexpectedly.

This type of crash can lead to denial-of-service (DoS) attacks, where legitimate users are prevented from accessing or using the game or application. 

Who is affected?

Any GameMaker project compiled with runtime below 2024.14.0 that utilizes the network_create_server() function for network communication is potentially at risk.

Developers are advised to review their project codebases to identify instances of network_create_server() usage.

Action required: Update your GameMaker IDE

GameMaker has released an update to address this vulnerability. To protect your projects and users, we strongly recommend updating your GameMaker IDE to the latest version (2024.14.0 or higher).

How to Update:

1. Open GameMaker Studio 2/GameMaker: Launch your GameMaker IDE.
2. Check for Updates: Navigate to “Help” -> “Check for Updates” or refer to the “IDE and Runtime Versions” section in your preferences.
3. Install the Latest IDE: Follow the prompts to download and install the latest stable GameMaker IDE. The patched version (2024.14.0 or higher) will include a fix for CVE-2025-12501.
4. Recompile Your Projects: After updating, it is crucial to recompile and export all affected projects using the 2024.14 runtime. Distribute these updated versions to your users.

Important Note: Simply updating the GameMaker IDE is not enough. You must ensure the runtime used by your projects is also updated and that your projects are recompiled with this updated runtime.

Stay vigilant

Security is an ongoing process. We encourage all GameMaker developers to stay informed about the latest security advisories and best practices. Regularly checking for GameMaker updates and actively participating in the developer community can help ensure your projects remain secure.

For further information and official announcements, please refer to the official GameMaker blog.

Need assistance?

If you encounter any issues during the update process or require further assistance, please reach out to GameMaker support or consult the GameMaker community forum.

We thank the security researcher who responsibly disclosed this vulnerability, allowing for a timely fix.

---