CVE-2025-59489
Description
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.
INFO
Published Date :
Oct. 3, 2025, 2:15 p.m.
Last Modified :
Oct. 6, 2025, 2:56 p.m.
Remotely Exploit :
No
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update Unity Editor to a version that addresses the vulnerability.
- Review and sanitize search paths in local applications.
- Validate loaded files to prevent manipulation.
Public PoC/Exploit Available at Github
CVE-2025-59489 has a 20 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-59489.
| URL | Resource |
|---|---|
| https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/ | |
| https://unity.com/security#security-updates-and-patches | |
| https://unity.com/security/sept-2025-01 |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-59489 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-59489
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
A simple script pack to exploit Unity's CVE-2025-59489
CVE-2025-59489 Unity Vulnerability Checker
Python
Proof Of Concept For CVE-2025-59489. Affects unity games running on Android.
Java C
CVE-2025-59489 POC For android games
Project repository for CISC 486 2025 Fall Group 14.
C# ShaderLab HLSL
None
C# ShaderLab HLSL
None
ShaderLab C#
None
C#
None
Mathematica C#
None
C#
None
C# ShaderLab HLSL
None
C# ShaderLab HLSL
None
C# ShaderLab HLSL
A mod that helps you play older versions of BTD6 in offline mode on different profiles with no hassle.
btd6-mod
C#
None
C# ShaderLab HLSL
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-59489 vulnerability anywhere in the article.
-
Kaspersky
The CVE-2025-59489 vulnerability in Unity, and how to fix it in games | Kaspersky official blog
In early October, Unity announced that game developers have a lot of work to do. The popular game engine, used for PC, console and mobile games, has a software vulnerability in it that requires all pu ... Read more
-
BleepingComputer
Steam and Microsoft warn of Unity flaw exposing gamers to attacks
A code execution vulnerability in the Unity game engine could be exploited to achieve code execution on Android and privilege escalation on Windows. Unity is a cross-platform game engine and developme ... Read more
-
Daily CyberSecurity
Unity Flaw CVE-2025-59489 Allows Local Code Execution in Millions of Games
A serious vulnerability in the Unity Runtime, tracked as CVE-2025-59489 (CVSS 8.4), has been discovered by security researcher RyotaK (@ryotkak) from GMO Flatt Security Inc., potentially exposing mill ... Read more
-
Daily CyberSecurity
Qualcomm Antitrust Trial Begins: UK Consumer Group Seeks £480 Million for Inflated Smartphone Prices
Qualcomm is once again facing legal action — but this time, the lawsuit does not come from Arm or other industry players. Instead, it has been filed by the UK consumer advocacy group Which?, which acc ... Read more
-
CybersecurityNews
Unity Real-Time Development Platform Vulnerability Let Attackers Execute Arbitrary Code
Unity Technologies has issued a critical security advisory warning developers about a high-severity vulnerability affecting its widely used game development platform. The flaw, designated CVE-2025-594 ... Read more
-
security.nl
Microsoft adviseert om games met kwetsbare Unity-engine te verwijderen
Microsoft adviseert gebruikers om games gemaakt met een kwetsbare versie van de Unity Gaming Engine Editor te verwijderen. Gamingplatform Steam is met een update gekomen om het starten van kwetsbare g ... Read more
The following table lists the changes that have been made to the
CVE-2025-59489 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Oct. 03, 2025
Action Type Old Value New Value Changed Description Unity Editor 2019.1 through 6000.3 could allow remote attackers to exploit file loading and Local File Inclusion (LFI) mechanisms via a crafted local application because of an Untrusted Search Path. This could permit unauthorized manipulation of runtime resources and third-party integrations. The issue could affect applications built using Unity and deployed across Android, Windows, macOS, and Linux platforms. Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications. Added CVSS V3.1 AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-88 -
New CVE Received by [email protected]
Oct. 03, 2025
Action Type Old Value New Value Added Description Unity Editor 2019.1 through 6000.3 could allow remote attackers to exploit file loading and Local File Inclusion (LFI) mechanisms via a crafted local application because of an Untrusted Search Path. This could permit unauthorized manipulation of runtime resources and third-party integrations. The issue could affect applications built using Unity and deployed across Android, Windows, macOS, and Linux platforms. Added Reference https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/ Added Reference https://unity.com/security#security-updates-and-patches Added Reference https://unity.com/security/sept-2025-01 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 03, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-426