Arbitrary Code Execution in Godot serialization
Many Godot functions allow for arbitrary code
execution when a file is deserialized due to the
fact that Godot
always runs scripts in deserialized
resources. To avoid this vulnerability, you
can use get_var
and
store_var
from
FileAccess
. 1