Unity Technologies has issued a critical security advisory warning developers about a high severity vulnerability in its widely used game development platform.
The flaw, officially designated CVE-2025-59489, exposes applications built with vulnerable Unity Editor versions to unsafe file loading attacks. These attacks could enable local code execution and privilege escalation across multiple operating systems.
The vulnerability stems from an untrusted search path weakness (CWE-426). This weakness allows attackers to exploit unsafe file loading mechanisms within applications created with Unity. With a CVSS score of 8.4 out of 10.0, this security issue affects nearly all Unity Editor versions from 2017.1 through the current releases, potentially impacting millions of deployed games and applications worldwide.
Local File Inclusion Vulnerability Impacts
The vulnerability manifests differently based on the operating system. Android applications face the highest risk, as they are susceptible to both code execution and elevation of privilege attacks. Platforms including Windows, Linux Desktop, Linux Embedded, and macOS face elevation of privilege risks. This allows attackers to gain unauthorized access at the application’s current privilege level.
Security researchers at GMO Flatt Security Inc. discovered the flaw on June 4, 2025, and followed responsible disclosure practices. The vulnerability exploits local file inclusion mechanisms, enabling attackers to execute arbitrary code confined to the vulnerable application’s privilege level. This also allows them to potentially access confidential information available to that process.
On Windows systems, the threat becomes more complex when custom URI handlers are registered for Unity applications. Attackers who can trigger these URI schemes may exploit the vulnerable library loading behavior without requiring direct command line access. This significantly expands the overall attack surface.
Mitigation and Patches
Unity has released patches for all supported versions and extended fixes to legacy versions dating back to Unity 2019.1. The company provides two main remediation approaches: developers can either rebuild their applications with updated Unity Editor versions, or they can apply binary patches using Unity’s specialized patch tool for already deployed applications.
Current supported versions, including 6000.3, 6000.2, 6000.0 LTS, 2022.3 xLTS, and 2021.3 xLTS, have received immediate patches. Legacy versions spanning from 2019.1 through 2023.2 also received security updates. However, versions 2017.1 through 2018.4 remain unpatched and should be upgraded immediately.
The vulnerability vector string indicates local attack vectors with low complexity requirements and no user interaction needed. This makes exploitation relatively straightforward for attackers with local system access. Unity emphasizes that they have found no evidence of active exploitation, and no customer impact has been reported to date.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
