I’m kind of stupid and not too good with the Roblox client-server boundary, so I don’t really see what problems loadstring() causes since it basically just runs strings as if they were functions. Can’t exploiters can do the exact same thing with a script injector or am I missing out on an essential detail here? I plan on using loadstring() and I’d like to figure out how to make it safe.

loadstring() can allow exploiters to easily run any line of code into your game, if they know that it is enabled. That is what the vulnerability is.

HOW TO USE IT WHEN ENABLED:

loadstring("Your code here")()

You may find this article helpful.

Disable “loadstring()”

You should almost always disable the Lua loadstring() function (it’s disabled by default). This function is both powerful and dangerous because it allows arbitrary and dynamic code to execute at runtime. With the ability disabled, however, any Script on the server that attempts a loadstring() call will throw an exception.

This setting can be found in the ServerScriptService properties under LoadStringEnabled .

Can they run server-side code? Don’t see much of an issue with it otherwise if you have FilteringEnabled on.

They cannot run server sided code unless you have a remote event for loadstring(). Also, FilteringEnabled is on by default, even if you turn it off.

Wait, so what’s wrong with loadstring()? Don’t most exploiters use a custom loadstring function that bypasses LoadstringEnabled that allows them to run code on the client anyway?

With loadstring enabled exploiters can more easily exploit. With it enabled of course some people will find a way around it, but with it disabled more will use it.

loadstring is never available on the client.

On the server, you only have to worry about it if you actually use it somewhere an exploiter can bruteforce their way into; this allows server-side execution, which presents a serious security risk.