CVE-2025-59489

Name of the Vulnerable Software and Affected Versions Unity versions 2017.1 and later

Description A significant security vulnerability (CVE-2025-59489) exists in the Unity runtime, potentially allowing arbitrary code execution. This issue stems from an untrusted search path, enabling the loading of malicious code through crafted command-line arguments. While primarily a local code execution risk, remote exploitation is possible under specific conditions on Android. Approximately 70% of mobile games are estimated to be affected. No active exploitation has been reported, but the vulnerability has existed since 2017. The vulnerability affects applications built for Windows, Android, macOS, and Linux. Platforms like iOS, Xbox, and Meta Horizon OS are not affected. API endpoints are not directly involved in the vulnerability, but the issue relates to how Unity handles command-line arguments that can influence file loading.

Recommendations Update to the latest patched Unity Editor version and rebuild projects. If rebuilding is not feasible, use the Unity Application Patcher to patch existing builds. If applications use anti-cheat or tamper protection, rebuilding is required. Ensure automatic updates are enabled for games and applications.