GHSA-g588-cjg3-6g78: Steamworks game clients/servers using P2P authentication vulnerable to denial of service

May 11, 2026

Processing the raw ValidateAuthTicketResponse_t callback data panics when the m_eAuthSessionResponse field is k_EAuthSessionResponseAuthTicketNetworkIdentityFailure. This can lead to denial of service in game clients and servers using the begin_authentication_session API to authenticate players if a malicious game client sends an authentication ticket with a network identity that does not match that of the verifier.

References

github.com/Noxime/steamworks-rs/issues/321
github.com/advisories/GHSA-g588-cjg3-6g78
rustsec.org/advisories/RUSTSEC-2026-0121.html

Code Behaviors & Features

Detect and mitigate GHSA-g588-cjg3-6g78 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →