Game Clients Release Notes – June and July 2025

jun-jul release-notes1920×1080 37.6 KB

Welcome to this edition of our Game Client Release Notes, where we recap all of the work completed in the months of June and July.

This update brings many improvements to FiveM and RedM, including enhanced stability and security fixes, expanded scripting capabilities, 12 new natives, and better validation for vehicles and peds, along with integration of new content from the Money Fronts update in canary. A broader polishing pass was also made on our developer documentation.

Support for the Money Fronts Update

Earlier in June, we introduced support for GTA Online: Money Fronts on FiveM’s canary release channel and successfully deployed to production in July.

money-fronts1035×582 175 KB

If you want to deep dive into every change from the update, check out this community post from Derass listing everything this update brings.

The ped models and vehicles pages of our documentation were also updated with the new content.

Security and Stability Improvements

Thanks to the continued collaboration of many community members, we have identified and fixed a significant number of game client crash exploits used in the past month against FiveM servers to disconnect large amount of players:

• Added vehicle model validation to check for valid vehicles archetypes before creating them over the network.

• Added additional checks against setting empty or invalid ped drawable variations.

• Improved the ped components validation, preventing invalid or out-of-bounds ped component values.

• Added vehicle type validation for submarine tasks.

• Interception of bogus head-blend data for non-freemode ped models.

• Added guards in the Lua parser to safely handle malformed function definitions, preventing crashes from bad script input.

• Wrapped two ActionScript-related natives with validation to block invalid/negative flag indices.

• Ensured player/ped creation uses a valid ped model; preventing bad spawns and crashes.

We also made our experimental netGameEvent handler enabled by default after weeks of successful testing by server owners and members of the community. This new handler reduces the game event serialization overhead, checks if entities sent with the game events are relevant to the target client, and improve its resilience for future title updates.

Miscellaneous stability improvements were also introduced to fix several game crashes experienced by players in specific conditions.

We updated the Cfx.re Platform Server recommended version to 17000. Please provide feedback on our Discord if you are experiencing issues with your server on recent versions.

New FiveM Natives

Community member Nikez added new Natives which control how and if NPC’s react to emergency sirens.

OVERRIDE_REACTION_TO_VEHICLE_SIREN

Setting the state to true and a value between 0 and 2 will cause pedestrian vehicles to react accordingly to sirens. Depending on the value set, the pedestrian vehicle will either stop outright, or pull over to the left or right side.

SET_REACTION_TO_VEHICLE_WITH_SIREN_DISABLED

This completely disables pedestrian vehicles from reacting to sirens. They will not try to do any manoeuvres to evade.

SET_FOG_VOLUME_RENDER_DISABLED

ook3D introduced a native which allows to disable or enable the rendering of fog volumes defined in vfxfogvolumeinfo.ymt. This is particularly useful for server owners who want to remove or customize the default fog around the city, such as after changing light colors, without the interference of the ambient game fog.

Community member grzybeek introduced several getter and setter natives related to fall damage.

GET_FALL_DAMAGE_LAND_ON_FOOT_MULTIPLIER
SET_FALL_DAMAGE_LAND_ON_FOOT_MULTIPLIER

Fall damage multiplier to apply when a ped lands on foot from a fall below the kill fall height threshold (i.e., when the fall does not cause instant death).

GET_FALL_DAMAGE_MULTIPLIER
SET_FALL_DAMAGE_MULTIPLIER

Fall damage multiplier applied to all peds when calculating fall damage from falls below the kill fall height threshold (i.e., when the fall does not cause instant death).

GET_KILL_FALL_HEIGHT
SET_KILL_FALL_HEIGHT

Height from which the non-player peds will instantly die from fall damage.

GET_PLAYER_KILL_FALL_HEIGHT
SET_PLAYER_KILL_FALL_HEIGHT

Height from which the player peds will instantly die from fall damage.

This example shows the modification of SET_PLAYER_KILL_FALL_HEIGHT from 15.0 meters to 5.0 meters.

Recently, tens0rfl0w added the new GET_NET_TYPE_FROM_ENTITY native, which exposes a server function to determine the specific network type of a given entity.

Improved Lua Safe-Navigation

Safe navigation lets you safely access or call properties/functions on potentially nil values without crashing your script.

This update improves that feature by supporting two new types of statements:

1. Property Assignment

myObj?.value = 1

a. This will only assign 1 to myObj.value if myObj is not nil.

b. If myObj is nil, Lua does nothing and moves on, no crash.

2. Function Calls

myObj?.myFunc()

a. This will only call myFunc() if myObj is not nil.

b. If myObj is nil, the call is skipped silently.

Deprecation of Lua 5.3

In June, we also announced the removal of the Lua 5.3 runtime in favor of Lua 5.4, and released it to production at the end of July.

Inside the announcement, you can find all of the known incompatibilities between the two versions, but these should be minimal.

Console Improvements

DaniGP17 introduced a handy filtering field on the F8 Game Client console, allowing for quick lookup of specific log lines.

Furthermore Mathu-lmn not only fixed a logging issue where an error message was missing a newline, ensuring proper formatting in the console output, but also adjusted the console channel naming for streaming warnings.

Custom Fonts for RedM

DaniGP17 made it possible to register font IDs beyond the built-in set within RedM.
This change allows the use of custom fonts that are not part of the base game.

REDM-Custom-Fonts1367×768 117 KB

New Server Commands to Block Game Events

Community contributor Ekinoxx0 added new server commands that allow server owners to block specific network game events directly, enhancing server-side control and security. Instead of relying on individual AddEventHandler calls to intercept potentially exploitable events, server owners can now use these commands:

block_net_game_event <eventName>

unblock_net_game_event <eventName>

For this system to function correctly, sv_experimentalNetGameEventHandler must be set to 1, which is the default. These commands will not work if this setting is disabled.

Community Contributions

We welcomed even more community contributions to our repositories this month:

citizenfx/fivem

• DaniGP17

  • fix(gta-streaming-five): add missing byte offset for RawEntry - Adds missing padding on RDR3 builds to restore correct struct layout and prevent memory corruption.

  • fix(gta-core-five): prevent crash when climbing ladder with non-biped peds - Adds a null check for biped capsule data to avoid ladder-related crashes for non-biped entities.

  • fix(gta-core-rdr3): prevent crash in climbing ladder with non-biped rdr3 - RDR3 counterpart: guards ladder logic against null biped capsule pointers.

  • fix(gta-core-five): validate river entity archetype - Adds an archetype null check for certain entities (e.g., rivers) to prevent crashes.

• Ekinoxx0

  • tweak(gamestate/server): simplify block_net_game_event commands - Lets server owners specify event names instead of raw hashes for blocking/unblocking.

• Korioz

  • fix(gamestate/rdr3): GET_ENTITY_MODEL for objects & animals - Ensures correct model hashes for objects and wildlife in RDR3.

• Mathu-lmn

  • fix(lua): fix file write always truncating to zero - Keeps existing data intact when writing to a file rather than wiping it.

  • fix(net-event-doc): fix typedoc not recognizing int - Replaces non-standard TypeScript int types with number so TypeDoc generates correct event docs.

• tens0rfl0w

  • tweak(core/five): allow empty head drawbl ConVar - Adds a user pref ConVar to permit an empty head drawable, enabling optional “no head” states when desired.

• AvarianKnight

  • fix(component/mumble): return a proper value when user doesn’t exist - Returns false when a Mumble user is missing to avoid undefined behavior, fixing Linux crashes and invalid data on Windows

• Ehbw

  • feat(core/rdr3): support for increased ped pool - Enables scaling ped-related pools via PoolSizeManager, removes fatal checks, and raises script/mission ped limits to support larger worlds.

  • feat(net/rdr3): increase network heap allocation size - Increases the network heap from 26 MB to 35 MB to back higher net pool allocations.

  • fix(core/rdr3): crash when targetting invalid ped/player - Adds null checks to avoid crashes when targeting entities not replicated on the client.

  • fix(core/rdr3): weaponinfo crash mitigation - Validates weapon info lookups during damage handling to prevent crashes on invalid data.

  • fix(core/five): move Ptfx Limit patch - Relocates the Ptfx limit patch into the correct project folder so it’s applied in builds.

citizenfx/natives

• spacevx

  • fix(vehicle/hash): wrong hash for this native - Corrects an incorrect vehicle native hash for proper function calls.

• AvarianKnight

  • tweak(network): add newline between comment and table (Issue #1265) - Fixes markdown rendering by inserting a newline between comments and tables for clearer documentation.

• nimoalr

  • tweak(doc): add note on performance for GetPlayerPed(-1) (Issue #1263) - Adds a note recommending PLAYER_PED_ID over GetPlayerPed(-1) for better performance, with a reference link for details.

• DaniGP17

  • tweak: change native name of IS_VEHICLE_WHEEL_BROKEN - Renamed native IS_VEHICLE_WHEEL_BROKEN to IS_VEHICLE_WHEEL_BROKEN_OFF.

Will it also prevent CEventShockingSiren game event from firing on that ped?

Overall cool update. I don’t fully understand what’s with the netGameEvent change, but my code works the same on latest build sooo… ¯\_(ツ)_/¯

New release notes on cfx.re today, this is my favorite one so far! nice job, team!

just want to mention that not one of these changes has actually been done by anyone at cfx and all of these are just community contributions. cfx has still actually done nothing

I just wanted to say something

Woohoo thanks contributors

People ask for an enhanced version, then act surprised that it doesn’t receive as many updates from the team when a new version of the game is literally in the works. Who could have thought something like that would happen and would one be more happy with the alternative?

image634×640 19.5 KB

enhanced came out nearly 6 months ago and compeititors have had enhanced support along with cross-compatibility between legacy and enhanced for a while now. meanwhile cfx haven’t provided any progress updates whatsoever?

Just leave and bring back nta and Disquse, you guys literally do nothing. Even unofficial platforms support Enhanced Edition, that’s pretty sad that Rockstar has taken over the platform and has to rely on reverse engineering its own game and doesn’t even release official tools.

Thanks for highlighting the people who contribute to development - they truly deserve it! I hope this remains a positive trend, and that in the future, recognition will go beyond just being mentioned in forum posts like this one, and take the form of something more.

Special thanks to CFX as well for reviewing contributor-submitted changes in a timely manner, properly testing them, and merging them in. And thanks for Release Notes as well

Honestly, despite some of the negativity around claims that CFX isn’t doing anything new, I do see that CFX has actually become more open to external changes. A lot of new dev features have come out over the past year or two that wouldn’t have been possible without this whole situation.

Nothing is a bit of a stretch, but definitely nothing like the old team. Honestly, I see the recent changes as nothing more than them keeping FiveM alive long enough for GTA6. Based on some screenshots I’ve seen of behind the scenes discussions, I fear FiveM’s days are numbered.

This has several in my circle concerned about the actual future of FiveM.

I sure do miss the old team. Granted, things weren’t perfect, and I know I had my issues with some members of the old team, but the state of things are just depressing.

When are we getting an update on the asset protection vulnerability?

I agree with Chrivox.
When are you going to fix it?
I would think it should be the first thing you fix. Scene creators are paying you for the service, which is now no longer really working.
Why are you still taking a big cut of earnings when your escrow doesn’t even work really ?

What about Enhanced Edition Support??

Anyone who thinks this needs to be fixed must have crashed into a tree. The security vulnerability from 2022 is still active and is actually the same as the current one.

They won’t take any action, only implement damage control. Everything for NoPixel and Gabz!

And yes, I hated it. Since the team change, everything has just gone wrong.

That’s a solid callout, and it’s something a lot of people in my circle are talking about as they reconsider whether to keep developing on FiveM. Every payment processor has fees, but the mandatory FiveM cut really stings when support is lacking. I’ve heard cases where it takes weeks to even get a response, if at all, and Tebex support is almost nonexistent.

For example, on a $6.04 sale from one of my stores today, I only got $3.54 after $1.05 in sales tax, $0.55 in gateway fees, and $0.90 in platform fees. That’s 42% (I think? I can’t math) gone before even counting income taxes.

And while I know nothing is ever fully secure, once a leak happens, it’s permanent. I do believe that if this system was being properly maintained, and updated, that we most likely wouldn’t have this vulnerability today.

I actually shut down my 35k-member project two years ago because of a similar situation. Sure, they mentioned there’s server enforcement, but from what I’ve heard, some are taking the leaked code, changing enough to get past their detection methods, and fully using said resources without issue or consequence.

Even worse for the server owners dishing out money for Patreon, or whatever that setup is these days.

What is everyone paying for?

Wait, the one like August/September/October 2022? If so, that’s the same vulnerability that led to me closing down my 35k+ member community as all of our assets were running wild and our community began tanking because what made us unique was then on so many other servers.

Theoretically, they were always able to decrypt assets (maps, clothing, etc.) & server-side scripts, just not on the client-side script.

But yes, the security vulnerability is essentially the same as before.

I had already reported this security vulnerability on 23 June, i.e. before the major leak of the tools (cfx support). I provided some evidence and so on. But nobody really cared. I blame the managers rather than the developers for this.

Let me explain it, as it seems that many do not understand how fees and tax works. Your transaction was 6.04, 1.05 of that is sales tax (VAT in Europe) meaning that you priced your package at 4.99. 0.55 of that is the gateway fee, whatever PayPal, Bank, whatever the customer used for the transaction. Then Tebex and Cfx takes 15% of the full transaction cost. So 0.90.

The gateway fee and tax is unavoidable. Tebex clearly states that 15% is taken off each transaction as a fee. 42% is a lot, but thats because of many factors. Also ignoring the sales tax, if your package is priced at 4.99, and you received 3.54, the total “fee” was actually 29%

Shout out to the contributors