Update: Moments ago a hotfix solving this issue has been released, making mods safe to use in Cyberpunk 2077.
CD Projekt Red just can't catch a break, can they? Not a week has passed since the developers released official modding tools for Cyberpunk 2077, and already they have to caution users against downloading and installing mods due to a serious security risk that can allow the uploader of the files to execute malicious code remotely. Some mods have also proven to corrupt save files, though this is the smaller issue at hand.
Following the troubled launch of Cyberpunk 2077, CDPR has been in full damage control mode, releasing hotfixes and title updates focusing on hammering out the bugs and performance issues that cost the studio heaps of goodwill back in December. The free DLC program has been delayed, as have the paid expansions. The release of the modding tools was supposed to be a leap in the right direction, since lively modding communities are a surefire way to endear your game to more players while also cementing its longevity.
If you plan to use @CyberpunkGame mods/custom saves on PC, use caution. We've been made aware of a vulnerability in external DLL files the game uses which can be used to execute code on PCs. Issue will be fixed ASAP. For now, please refrain from using files from unknown sources.
— CD PROJEKT RED CS (@CDPRED_Support) February 2, 2021
Alas, this move has seemingly backfired, at least temporarily until this blunder too can be fixed. CD Projekt Red urged players to refrain from using mods via their official social media channels, stating that a vulnerability in external DLL files can be used to remotely execute code. This could be used for all sorts of nefarious purposes, with mod authors loading their files with a broad array of malware that would essentially go undetected.
It was a real stroke of luck that this - as far as we know - became known before any real harm was done. Had the vulnerability been discovered at the expense of some players, this could have turned into a second wave of controversy for the embattled game that has already resulted in one class action lawsuit against CD Projekt. CD Projekt Red has committed to releasing a fix for this vulnerability soon, which will make mods safe to download and use.
In the brief period of time between this announcement and the launch of the modding tools - though we suspect some users are still downloading mods at their risk - the community already took the idea and ran with it. Some highlights include a functioning third-person camera mod, as well as a bunch of fan-made big fixes. Even without this new vulnerability to deal with, the developers have their plates full. Just recently an unplanned hotfix had to be released to solve a game-breaking bug that was introduced by the latest patch. This is definitely turning out to be a bumpy ride.
Cyberpunk 2077 fans can expect another significant update, patch 1.1, to arrive sometime this month. This may be the update that will solve the modding issue, unless a hotfix can be squeezed in earlier. The free DLC program should be kicking off soon after that patch rolls out, with a string of more fixes coming over the course of the upcoming weeks and months. Meanwhile, fans can try to change Cyberpunk 2077 to more resemble the game they had dreamed about before launch using mods, once the security issue is resolved.