Arbitrary Code Execution in Godot serialization

Many Godot functions allow for arbitrary code execution when a file is deserialized due to the fact that Godot always runs scripts in deserialized resources. To avoid this vulnerability, you can use get_var and store_var from FileAccess. ¹

History