Security Update Advisory

Summary

Applications that were built using affected versions of the Unity Editor are susceptible to an unsafe file loading and local file inclusion attack depending on the operating system, which could enable local code execution or information disclosure at the privilege level of the vulnerable application. There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. Unity has provided fixes that address the vulnerability and they are already available to all developers.

Vulnerability Details

CVE ID: CVE-2025-59489

Date Discovered: June 4, 2025

Discovered By: RyotaK of GMO Flatt Security Inc.

Date Patch Available: October 2, 2025

Affected Operating System: See Affected Operating Systems Table

Affected Versions: See Unity Editor Versions Table

Patched Versions: See Unity Editor Versions Table

Vulnerability Type: CWE-426: Untrusted Search Path

Severity: High

CVSS Score: 8.4

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Potential

Could allow local code execution and access to confidential information on end user devices running unity-built applications. Code execution would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.

Unity Editor Versions Table

Applications built with the indicated versions of the Unity Editor prior to the Patched Versions are considered vulnerable.

Current in Support Versions

6000.3
Affected Versions
All
Patched Version
6000.3.0b4
6000.2
Affected Versions
All
Patched Version
6000.2.6f2
6000.0 LTS
Affected Versions
All
Patched Version
6000.0.58f2
2022.3 xLTS
Affected Versions
All
Patched Version
2022.3.67f2
2021.3 xLTS
Affected Versions
All
Patched Version
2021.3.56f2

We have extended fixes to out of support versions of the Unity Editor to include Unity 2019.1 and newer.

Out of Support Versions

6000.1
Affected Versions
All
Patched Version
6000.1.17f1
2023.2
Affected Versions
All
Patched Version
2023.2.22f1
2023.1
Affected Versions
All
Patched Version
2023.1.22f1
2022.3 LTS
Affected Versions
All
Patched Version
2022.3.62f2
2022.2
Affected Versions
All
Patched Version
2022.2.23f1
2022.1
Affected Versions
All
Patched Version
2022.1.25f1
2021.3 LTS
Affected Versions
All
Patched Version
2021.3.45f2
2021.2
Affected Versions
All
Patched Version
2021.2.20f1
2021.1
Affected Versions
All
Patched Version
2021.1.29f1
2020.3
Affected Versions
All
Patched Version
2020.3.49f1
2020.2
Affected Versions
All
Patched Version
2020.2.8f1
2020.1
Affected Versions
All
Patched Version
2020.1.18f1
2019.4 LTS
Affected Versions
All
Patched Version
2019.4.41f1
2019.3
Affected Versions
All
Patched Version
2019.3.17f1
2019.2
Affected Versions
All
Patched Version
2019.2.23f1
2019.1
Affected Versions
All
Patched Version
2019.1.15f1
2018.4
Affected Versions
All
Patched Version
N/A
2018.3
Affected Versions
All
Patched Version
N/A
2018.2
Affected Versions
All
Patched Version
N/A
2018.1
Affected Versions
All
Patched Version
N/A
2017.4
Affected Versions
All
Patched Version
N/A
2017.3
Affected Versions
2017.3.0b9+
Patched Version
N/A
2017.2
Affected Versions
2017.2.0p4+
Patched Version
N/A
2017.1
Affected Versions
2017.1.2p4+
Patched Version
N/A

Affected Platforms Table

Applications built with affected versions of the Unity Editor and released on these platforms could be impacted by the vulnerability.

Note: If a platform is not listed, there have been no findings to suggest that the vulnerability is exploitable.

Android
Impact
Code Execution / Elevation of Privilege
Severity
High
Windows
Impact
Elevation of Privilege
Severity
High
Linux (Desktop)
Impact
Elevation of Privilege
Severity
High
Linux (Embedded)
Impact
Elevation of Privilege
Severity
High
MacOS
Impact
Elevation of Privilege
Severity
High

On Microsoft Windows systems, the presence of a registered custom URI handler for a vulnerable application or handler name could increase the risk of exploitation. If a custom URI scheme is present and can be invoked on the target system, an attacker who can cause that URI to be opened could trigger the vulnerable library-loading behavior without needing direct command-line access. Potential exploitation remains constrained to the privileges of the targeted application and to the data and services accessible to that process. Entities that routinely create registered URI handlers for Unity applications are encouraged to contact Unity directly at security@unity3d.com.

Discovery

This vulnerability was responsibly reported by an external security researcher.

Remediation Steps

Rebuild Application

  • Update the Unity Editor to the newest version then rebuild and redeploy the application.

Binary Patch

  • Using the Unity Binary Patch tool for the target platform, the Unity runtime library can be replaced with a patched version of the library.

Unity Fixed Versions

Unity fixed versions: Direct links to the first fixed versions of the Unity Editor (which includes the Unity Runtime as well)

Patched Version
6000.3.0b4
Unity Hub Link
6000.2.6f2
Unity Hub Link
6000.1.17f1
Unity Hub Link
6000.0.58f2
Unity Hub Link
2023.2.22f1
Unity Hub Link
2023.1.22f1
Unity Hub Link
2022.3.67f2
Unity Hub Link
2022.3.62f2
Unity Hub Link
2022.2.23f1
Unity Hub Link
2022.1.25f1
Unity Hub Link
2021.3.56f2
Unity Hub Link
2021.3.45f2
Unity Hub Link
2021.2.20f1
Unity Hub Link
2021.1.29f1
Unity Hub Link
2020.3.49f1
Unity Hub Link
2020.2.8f1
Unity Hub Link
2020.1.18f1
Unity Hub Link
2019.4.41f1
Unity Hub Link
2019.3.17f1
Unity Hub Link
2019.2.23f1
Unity Hub Link
2019.1.15f1
Unity Hub Link

FAQ

My application or game is released on a platform or operating system not listed, what should I do?

+

How was the vulnerability discovered?

+

What is the process for reporting future vulnerabilities to Unity?

+