Wiz
Vulnerability DatabaseCVE-2025-59489

CVE-2025-59489
Unity Editor vulnerability analysis and mitigation

Overview

Unity Runtime before 2025-10-02 contains a critical vulnerability (CVE-2025-59489) affecting applications built with Unity Editor versions from 2017.1 onwards on Android, Windows, macOS, and Linux platforms. The vulnerability allows argument injection that can result in loading of library code from an unintended location, potentially enabling attackers to execute code and exfiltrate confidential information from affected systems (Unity Advisory, NVD).

Technical details

The vulnerability stems from Unity Runtime's intent handling process on Android, where the engine automatically adds a handler for the unity intent extra in the UnityPlayerActivity. This handler parses the unity extra as command-line arguments, allowing attackers to control arguments passed to Unity applications. The critical issue involves the -xrsdk-pre-init-library argument, which passes values directly to dlopen(), enabling the loading of arbitrary shared libraries. The vulnerability has received a CVSS score of 8.4 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Flatt Research, Security Online).

Impact

The vulnerability affects millions of games and applications built with Unity, potentially exposing them to local code execution and information disclosure attacks. On Android, malicious applications can hijack permissions granted to Unity applications. For Windows systems with custom URI handlers, the vulnerability could be triggered remotely. The impact is confined to the privilege level of the vulnerable application (Security Online, Unity Advisory).

Mitigation and workarounds

Unity has released patches for all supported versions and many out-of-support versions from Unity 2019.1 onwards. Developers must update their Unity Editor to the newest version, rebuild affected applications, and redeploy them. Unity has also provided a Binary Patch tool for legacy projects that cannot be easily rebuilt. For Windows systems with custom URI handlers, Unity recommends contacting their security team directly (Unity Advisory).

Additional resources

SourceThis report was generated using AI

Related Unity Editor vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2017-12939CRITICAL9.8
  • Unity EditorUnity Editor
  • cpe:2.3:a:unity3d:unity_editor
NoYesAug 18, 2017
CVE-2019-9197HIGH8.8
  • UnityUnity
  • cpe:2.3:a:unity3d:unity_editor
NoYesDec 31, 2019
CVE-2025-59489HIGH7.4
  • Unity EditorUnity Editor
  • cpe:2.3:a:unity3d:unity_editor
NoYesOct 03, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo