Arbitrary Code Execution in Godot serialization
Many Godot functions allow for arbitrary code
execution when a file is deserialized due to the
fact that Godot
always runs scripts in deserialized resources.
To avoid this vulnerability, you can use
get_var and store_var from
FileAccess. 1