OP:
Sorry DevForum users, can’t publicize this otherwise Roblox might have a bad day
A private message is associated with this bug report
EDIT:
The issue has since been resolved. I owe it to the DevForum for explaining what the vulnerability was down below.
Experiences that made use of InsertService:LoadAsset() or equivalent for its asset management or community-facing features allowed ‘PluginCapabilities’ instances to be loaded, granting the asset privileges higher than the experience’s own code, preventing the ability for developers to reliably interrogate the asset and scrub it of any excluded classes or content as the instance and anything within it is not indexable, making it essentially ‘invisible’.
One example was the ‘StandalonePluginScripts’ class. Once parented to somewhere like game.ServerStorage, any Script instances with RunContext set to Server could immediately start executing against the developer’s wishes.
This vulnerability remained confidential on my part as I had made conversations with developers of various large experiences that make use of this system and also scrub assets for any unwanted content before trusting it to be used in their experience - they also agreed that this vulnerability was dangerous.
I determined the issue was platform-wide and by default every experience that made use of InsertService:LoadAsset() for any asset that was created by someone else could have been an attack vector through any method of compromising said account, or by being a bad actor themselves.
Roblox took this vulnerability seriously and patched it up for the entire platform - now InsertService:LoadAsset() errors in cases like this, blocking the loading of any asset containing instances with elevated privileges such as ‘PluginCapabilities’.