Hello everyone,
My team is using Unreal Engine 5.6.1 to develop a new product, and we are approaching our closed beta release.
As part of our standard security validation process, our scanning tools have flagged several high and critical severity vulnerabilities in the third-party libraries that come pre-built with the engine. Our main concern is understanding the potential risk these pose to our end-users in a final, packaged application.
Here is a summary of the flagged components and the issue counts:
| Library/Component | Critical Issues | High-Severity Issues |
|---|---|---|
| FreeType 2.10.0 | 1 | 1 |
| stb (in MaterialX 1.38.10, astc-encoder 5.3) | 1 | 7 |
| WebRTC 5414 | 0 | 1 |
| expat 2.2.10 | 0 | 1 |
| FreeImage 3.18 | 0 | 21 |
| lz4 1.9.3 (in c-blosc 1.21.0) | 1 | 0 |
| zstd 1.4.8 (in c-blosc 1.21.0) | 0 | 1 |
| harfbuzz 2.4.0 | 0 | 1 |
| openexr 3.3.2 | 1 | 0 |
| zlib 1.3.0 | 0 | 1 |
| ICU 64.1 | 0 | 1 |
| CEF 3 | 0 | 1 |
We attempted to mitigate these by building the engine from source, but we were unable to resolve all of them without risking major regressions in our product.
We are hoping the community or Epic staff could provide some guidance on two main questions:
-
Are these types of vulnerabilities typically confined to the Unreal Editor, or are they likely to be present and exploitable in a final, packaged product?
-
Is there any information available on whether Epic Games has plans to address these vulnerabilities in an upcoming engine release?
Any insights you can offer would be extremely helpful for our team as we finalize our release plan.
Thank you for your time and help!