CVE-2025-59489: 
Unity Editor vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-59489) was discovered in Unity Runtime affecting applications built with Unity Editor versions 2017.1 and later. The vulnerability was identified on June 4, 2025, by RyotaK of GMO Flatt Security Inc. and publicly disclosed on October 2, 2025. The flaw affects applications deployed across Android, Windows, macOS, and Linux platforms, potentially impacting 70% of top mobile games (Cyber Kendra, Flatt Security).

The vulnerability stems from an untrusted search path weakness (CWE-426) and argument injection in Unity's runtime that can result in loading library code from unintended locations. With a CVSS score of 8.4 (High), the vulnerability allows attackers to exploit Unity's intent handling system through the -xrsdk-pre-init-library argument, which can force vulnerable applications to load attacker-controlled native libraries. The vulnerability vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates local attack vectors with low complexity requirements and no user interaction needed (Unity Security, Flatt Security).

The vulnerability enables local code execution and access to confidential information on devices running Unity-built applications. On Android devices, applications are susceptible to both code execution and elevation of privilege attacks. Windows, Linux, and macOS platforms face elevation of privilege risks. Code execution is confined to the privilege level of the vulnerable application, with information disclosure limited to data accessible to the compromised process (Unity Security, Cyber Security News).

Unity has released patches for all supported versions from 2019.1 onward and introduced a Unity Binary Patch tool for developers unable to rebuild applications. Developers must either update to the newest Unity Editor version and rebuild/redeploy their applications, or use the Unity Binary Patch tool to replace the Unity runtime library with a patched version. Unity emphasizes that updating Unity Editor alone doesn't address the vulnerability; affected applications must be rebuilt and redeployed (Unity Security, Cyber Security News).