Unity Security Update Advisory (CVE-2025-59489)

Summary
Applications that were built using affected versions of the Unity Editor are susceptible to an unsafe file loading and local file inclusion attack depending on the operating system, which could enable local code execution or information disclosure at the privilege level of the vulnerable application. There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. Unity has provided fixes that address the vulnerability and they are already available to all developers.

Vulnerability Details
CVE ID: CVE-2025-59489
Date Discovered: June 4, 2025
Discovered By: RyotaK of GMO Flatt Security Inc.
Date Patch Available: October 2, 2025
Affected Operating System: See Affected Operating Systems Table
Affected Versions: See Unity Editor Versions Table
Patched Versions: See Unity Editor Versions Table
Vulnerability Type: CWE-426: Untrusted Search Path
Severity: High
CVSS Score: 8.4
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Potential
Could allow local code execution and access to confidential information on end user devices running unity-built applications. Code execution would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.

Unity Editor Versions
Applications built with the indicated versions of the Unity Editor prior to the Patched Versions are considered vulnerable.

Current in Support Versions

Affected Versions

Spoiler: Affected Versions

6000.3
6000.3.0b4
6000.2
6000.2.6f2
6000.0 LTS
6000.0.58f2
2022.3 xLTS
2022.3.67f2
2021.3 xLTS
2021.3.56f2

We have extended fixes to out of support versions of the Unity Editor to include Unity 2019.1 and newer.

Out of Support Versions

Affected Versions

Spoiler: Affected Versions

6000.1
6000.1.17f1
2023.2
2023.2.22f1
2023.1
2023.1.22f1
2022.3 LTS
2022.3.62f2
2022.2
2022.2.23f1
2022.1
2022.1.25f1
2021.3 LTS
2021.3.45f2
2021.2
2021.2.20f1
2021.1
2021.1.29f1
2020.3
2020.3.49f1
2020.2
2020.2.8f1
2020.1
2020.1.18f1
2019.4 LTS
2019.4.41f1
2019.3
2019.3.17f1
2019.2
2019.2.23f1
2019.1
2019.1.15f1
2018.4
2018.3
2018.2
2018.1
2017.4
2017.3
2017.3.0b9+
2017.2
2017.2.0p4+
2017.1
2017.1.2p4+

Affected Platforms Table
Applications built with affected versions of the Unity Editor and released on these platforms could be impacted by the vulnerability.

Note: If a platform is not listed, there have been no findings to suggest that the vulnerability is exploitable.

Impact
Android
Code Execution / Elevation of Privilege

Windows
Elevation of Privilege

Linux (Desktop)
Elevation of Privilege

Linux (Embedded)
Elevation of Privilege

MacOS
Elevation of Privilege

On Microsoft Windows systems, the presence of a registered custom URI handler for a vulnerable application or handler name could increase the risk of exploitation. If a custom URI scheme is present and can be invoked on the target system, an attacker who can cause that URI to be opened could trigger the vulnerable library-loading behavior without needing direct command-line access. Potential exploitation remains constrained to the privileges of the targeted application and to the data and services accessible to that process. Entities that routinely create registered URI handlers for Unity applications are encouraged to contact Unity directly at security@unity3d.com.

Discovery
This vulnerability was responsibly reported by an external security researcher.

Remediation Steps
Rebuild Application
Update the Unity Editor to the newest version then rebuild and redeploy the application.
Binary Patch
Using the Unity Binary Patch tool for the target platform, the Unity runtime library can be replaced with a patched version of the library.
Unity Fixed Versions
Unity fixed versions: Direct links to the first fixed versions of the Unity Editor (which includes the Unity Runtime as well)

Patched Version

Spoiler: Pacthed Versions

6000.3.0b4
6000.2.6f2
6000.1.17f1
6000.0.58f2
2023.2.22f1
2023.1.22f1
2022.3.67f2
2022.3.62f2
2022.2.23f1
2022.1.25f1
2021.3.56f2
2021.3.45f2
2021.2.20f1
2021.1.29f1
2020.3.49f1
2020.2.8f1
2020.1.18f1
2019.4.41f1
2019.3.17f1
2019.2.23f1
2019.1.15f1

FAQ
My application or game is released on a platform or operating system not listed, what should I do?

If an application or game is released to a platform we have not listed, there have been no findings to suggest that the vulnerability is exploitable. For added security, however, we recommend that you rebuild your games and applications with updated Unity versions.

How was the vulnerability discovered?

The vulnerability was initially discovered by a third-party researcher.

What is the process for reporting future vulnerabilities to Unity?

We have a Responsible Disclosure policy as a part of our cooperation with internal and external security researchers and also have a Bug Bounty program. For more information on our Bug Bounty program, contact security@unity3d.com or visit our Bug Bounty program on Bugcrowd.

https://unity.com/security/sept-2025-01 (Archive)

 

[Professional Noticer]

Because Unity doesn’t make much money off the single-member businesses anyway. The money is in medium and large businesses that don’t really care about recurring license fees because that’s already the pricing model for all the other software their business uses.

Sure, but the fiasco they pulled a few years ago completely ruined their company trust for me and many others. They raised their prices so that each install of the game (not purchase, install) would be charged 0.20cents to the dev. I know it doesnt sound like a lot, but for some markets like mobile gaming, it was easy to get free games to 100k downloads. That's 20.000 dolars that would be charged to a dev that made a free game.

It also included games that were out for several years and it was not optional. They just changed their contractual pricing without any agreement.
It was going to legitimately bankrupt a bunch of people.

Obviously it never went through because the internet was outraged, so they just upped the prices a bit instead. But the fact that they announced it with confidence that it was a good idea shows how much they care about the gaming scene versus making a shitton of money.

 

[George Lucas]

Sure, but the fiasco they pulled a few years ago completely ruined their company trust for me and many others. They raised their prices so that each install of the game (not purchase, install) would be charged 0.20cents to the dev. I know it doesnt sound like a lot, but for some markets like mobile gaming, it was easy to get free games to 100k downloads. That's 20.000 dolars that would be charged to a dev that made a free game.

It also included games that were out for several years and it was not optional. They just changed their contractual pricing without any agreement.
It was going to legitimately bankrupt a bunch of people.

Obviously it never went through because the internet was outraged, so they just upped the prices a bit instead. But the fact that they announced it with confidence that it was a good idea shows how much they care about the gaming scene versus making a shitton of money.

Lol businesses don’t give a shit about ‘trust’. All they care about is how much it’s going to cost now, especially in the gaming industry where most games make most of their money in the first year of release. Unity walked back and everyone flocked back because the cost of going to a new engine greatly outweighs whatever value the ‘loss of trust’ is to these developers.

A bunch of developers said they would go to Godot. What has actually been a success for Godot? I’m genuinely curious.

Grudges are always bad for business. Anyone using Godot to ‘get back’ at Unity is doomed to failure.

 

[sodaboard]

I think I remember something happening with Godot, it was taken over by trannies, or something like that. So that's not a viable option any longer.

it was a troon community manager that went wacko and they had to reign him in for being a psycho. he was spouting trans rights/wokeshit using the official account but his private discord was filled with spamming slurs/the NIGGER word. i think they lost about 20% of their monthly donationbux from the whole thing.
i still use it because i'm not going to let one single troon uproot all the work i've put in because every other competent engine is just as woke and probably run by even worse people. godot is continuing to grow and will overtake unity by next year.
i like godot and fuck everyone else who says otherwise

 

[Professional Noticer]

Lol businesses don’t give a shit about ‘trust’. All they care about is how much it’s going to cost now, especially in the gaming industry where most games make most of their money in the first year of release. Unity walked back and everyone flocked back because the cost of going to a new engine greatly outweighs whatever value the ‘loss of trust’ is to these developers.

You might be right about that. I guess I don't have the CEO mindset, but you aren't wrong.

A bunch of developers said they would go to Godot. What has actually been a success for Godot? I’m genuinely curious.

Grudges are always bad for business. Anyone using Godot to ‘get back’ at Unity is doomed to failure.

I don't think Godot is just a plan B for people holding a grudge, its a legitimately good game engine. It has produced some bangers, but its hard to compare with unity because its been around since forever. It wont be able to compete with Unreal for quite a while, but its honestly not that far off Unity level. As an open source engine, you have a ton of mega autistic super programmers working and contributing to it non stop.

It's not the first time we see an Open Source project surpass the "established corporate program". You have to give it time to grow and believe in the project.

• Blender used to be dogshit and now it's way more widespread used over Maya for 3D development.
• Krita is a great entry point for drawing programs as well (though artists are very autistic with their prefered program so there's a ton of options, but krita is still high up despite being open source).
• Audacity is one of the most used Audio programs, most people don't even know of an alternative (probably something like Adobe Audition).

Not every open source is a banger set for success but if you have the right amount of support (like Godot has, turns out a lot of people are passionate about gaming) you might have a success story.

i like godot and fuck everyone else who says otherwise

Same for me. Its very clear that people are very passionate about Godot. I'm sure there are troons involved because they are everywhere but its not a reason to stop using it. Theres thousands of contributions to the engine yearly and its a disservice to throw that away because a troon was retarded on socials.

Godot really feels like Gaming's last push for a world where games are more about being fun or art over making millions of dollars to a fucking Jew that knows nothing about videogames.
That's why I always shill for them - If it's not for you because you need a better option, its fine, I don't blame you, but I always try to get people to at least try it. I might not be able to contribute code but this is where I am doing "my part" for the engine.

 

[George Lucas]

• Blender used to be dogshit and now it's way more widespread used over Maya for 3D development.
• Krita is a great entry point for drawing programs as well (though artists are very autistic with their prefered program so there's a ton of options, but krita is still high up despite being open source).
• Audacity is one of the most used Audio programs, most people don't even know of an alternative (probably something like Adobe Audition).

Of these three, Blender’s the only one that has become an industry standard. Never heard of Krita. Audacity is crap. People use it because it’s the best free option, but comparing it to Audition makes it look worse than comparing the GIMP to Photoshop, and Audition is a mid-grade Prosumer tool. The industry standard would be Pro Tools.

Open Source software often works for low-level systems that need to be maintained by developers, but bad at replacing desktop apps. A game engine is a hybrid. There are low-level aspects and there is a need for a slick interface. I think a big thing that Godot lacks is accessibility and support. Those things are often more valuable than anything else. It’s very easy to get a proof-of-conceot working that looks good in Unity in a day.

 

[Professional Noticer]

Open Source software often works for low-level systems that need to be maintained by developers, but bad at replacing desktop apps. A game engine is a hybrid. There are low-level aspects and there is a need for a slick interface. I think a big thing that Godot lacks is accessibility and support. Those things are often more valuable than anything else. It’s very easy to get a proof-of-conceot working that looks good in Unity in a day.

That's fair. I just use Godot to mess around in some game jams, I am not speaking from the perspective of a professional.
It's just very easy to learn in comparison to the alternatives in my opinion. If it will or not become an industry standard is up in the air and if it does happen, its not gonna be tomorrow, its gonna take a long time.

I guess I'm just a Positive Polly about it and I want to support this project at least by using it and spread it around.
That being said, I have a fairly good opinion of Unreal Engine as well - If I were to learn an engine for work reasons I would invest in Unreal. I just can't support Unity at all.

 

[deleuzeon]

A bunch of developers said they would go to Godot. What has actually been a success for Godot? I’m genuinely curious.

Cruelty Squad. Godot is a perfectly fine engine. In fact, Unity is the one that's famously a pain in the ass to ship on. Talk to any engineer who shipped a Unity game, see if they don't have horror stories about wrangling performance by the end of it.

 

[TheCrackMonkey]

So does this mean people should start avoiding random free unity games that haven't been updated in years like the plague? Or does it only affect games that involve the internet in some way?

 

[GunCar Gary]

Sure, but the fiasco they pulled a few years ago completely ruined their company trust for me and many others. They raised their prices so that each install of the game (not purchase, install) would be charged 0.20cents to the dev.

that was only after your application had a certain number of installs AND made a certain amount of money. 99% of the people complaining wouldn't have been affected and the last 1% would have been easily able to afford it. Unity's biggest mistake was not making this clear enough to all the trannies and third worlders who make garbage that nobody installs or buys. these limits were also going to be waived if you used Unity's advertising network so the entire thing was obviously targeting ad-driven mobile "games" whose developers deserve to have their dirty money be stolen by Unity anyway

 

[George Lucas]

Cruelty Squad. Godot is a perfectly fine engine. In fact, Unity is the one that's famously a pain in the ass to ship on. Talk to any engineer who shipped a Unity game, see if they don't have horror stories about wrangling performance by the end of it.

Skill issue.

 

[Professional Noticer]

that was only after your application had a certain number of installs AND made a certain amount of money. 99% of the people complaining wouldn't have been affected and the last 1% would have been easily able to afford it.

It doesn't matter how many people were affected - Once you have a contract with the company, they can't retroactively change the terms especially in money related terms.
The problem was that they were going to make everyone that used Unity accept this retroactively because their projects are ransomed by the engine.
It's not like you can just port a game you worked on for years to another engine like its nothing.

It's one thing to say "okay from now on its gonna cost 20% more for this license". It's a whole other thing to say "yeah if you had a successful game you actually owe us a bunch of money because huhhh we changed the contract terms and you have to accept them - now pay up" (this was free before btw). You can spin it all you want with "huhhh actually it only 1% of devs would be affected" and you would be right, but that's not the point here.

You can like Unity all you want I will respect your choice, but don't misrepresent their robbery scheme as "not a big deal". It was a huge fucking deal and they got called out for it like they should. It was wrong and you know it.

 

[Croak & Caw]

Audacity is one of the most used Audio programs, most people don't even know of an alternative

I think someone bought Audacity and injected AIDS in to it? Correct me if I am wrong. There's a fork called Tenacity. I don't work with audio that much, but supposedly it's AIDS-free.

 

[Lasagna4Dead]

Huh, I didn’t know there was such a thing as safe file handling given that Unity hard crashes every time I use the damn thing.

that and its a poorly optimized piece of shit and at the time it was created was only made for small indie games, starting to actually think that SCRATCH is one of the best easy to learn game engines to date.

 

[Gorilla Tessellator II]

Personally, I was frustrated with Unity when I learned it, and when the debacle with install fee happened I took a plunge and switched my entire project to UE. I am so happy I did it. The difference is not only in lighting, although having nice lighting out of the box is nice, but first and foremost you can see the engine code, and if you have any skills in C++ you don't have to rely on Blueprints (I really use them mostly for UI layout).
Godot is good for toy projects imho.

 

[lichen]

A bunch of developers said they would go to Godot. What has actually been a success for Godot? I’m genuinely curious.

Sonic Colors seems to be the most well-known example.

It hasn't dropped yet, but the Slay the Spire devs moved StS2's development to Godot after the controversy and I would expect that to be a million seller though it won't be on the same scale as Silksong.