Security Update Advisory
Diese Website wurde aus praktischen Gründen für Sie maschinell übersetzt. Die Richtigkeit und Zuverlässigkeit des übersetzten Inhalts kann von uns nicht gewährleistet werden. Sollten Sie Zweifel an der Richtigkeit des übersetzten Inhalts haben, schauen Sie sich bitte die offizielle englische Version der Website an.
Summary
Applications that were built using affected versions of the Unity Editor are susceptible to an unsafe file loading and local file inclusion attack depending on the operating system, which could enable local code execution or information disclosure at the privilege level of the vulnerable application. There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. Unity has provided fixes that address the vulnerability and they are already available to all developers.
Vulnerability Details
CVE ID: CVE-2025-59489
Date Discovered: June 4, 2025
Discovered By: RyotaK of GMO Flatt Security Inc.
Date Patch Available: October 2, 2025
Affected Operating System: See Affected Operating Systems Table
Affected Versions: See Unity Editor Versions Table
Patched Versions: See Unity Editor Versions Table
Vulnerability Type: CWE-426: Untrusted Search Path
Severity: High
CVSS Score: 8.4
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Potential
Could allow local code execution and access to confidential information on end user devices running unity-built applications. Code execution would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.
Unity Editor Versions Table
Applications built with the indicated versions of the Unity Editor prior to the Patched Versions are considered vulnerable.
Current in Support Versions
We have extended fixes to out of support versions of the Unity Editor to include Unity 2019.1 and newer.
Out of Support Versions
Affected Platforms Table
Applications built with affected versions of the Unity Editor and released on these platforms could be impacted by the vulnerability.
Note: If a platform is not listed, there have been no findings to suggest that the vulnerability is exploitable.
On Microsoft Windows systems, the presence of a registered custom URI handler for a vulnerable application or handler name could increase the risk of exploitation. If a custom URI scheme is present and can be invoked on the target system, an attacker who can cause that URI to be opened could trigger the vulnerable library-loading behavior without needing direct command-line access. Potential exploitation remains constrained to the privileges of the targeted application and to the data and services accessible to that process. Entities that routinely create registered URI handlers for Unity applications are encouraged to contact Unity directly at security@unity3d.com.
Discovery
This vulnerability was responsibly reported by an external security researcher.
Remediation Steps
Rebuild Application
- Update the Unity Editor to the newest version then rebuild and redeploy the application.
Binary Patch
- Using the Unity Binary Patch tool for the target platform, the Unity runtime library can be replaced with a patched version of the library.
Unity Fixed Versions
Unity fixed versions: Direct links to the first fixed versions of the Unity Editor (which includes the Unity Runtime as well)
FAQ
If an application or game is released to a platform we have not listed, there have been no findings to suggest that the vulnerability is exploitable. For added security, however, we recommend that you rebuild your games and applications with updated Unity versions.
The vulnerability was initially discovered by a third-party researcher.
We have a Responsible Disclosure policy as a part of our cooperation with internal and external security researchers and also have a Bug Bounty program. For more information on our Bug Bounty program, contact security@unity3d.com or visit our Bug Bounty program on Bugcrowd.