A Critical Flaw in Unity

A major security vulnerability has been discovered in the Unity engine, tracked as CVE-2025-59489. The flaw affects Unity 2017.1 and later across Windows, macOS, Linux, and Android, making it one of the most widespread issues in recent memory for both developers and players. The discovery was made in June 2025 by RyotaK of GMO Flatt Security, and Unity issued patches on October 2, 2025. With a CVSS score of 8.4, the severity is considered high.

What’s the Vulnerability?

The problem lies in how Unity applications handle command-line arguments. Under certain conditions, attackers can craft malicious arguments that trick Unity into loading a harmful DLL or shared library. This opens the door to local code execution and potential information leaks. In practice, that means a Unity app could be manipulated into running code it was never meant to, giving attackers a dangerous foothold.

Why It Matters

The implications vary depending on the platform. On Windows, Unity apps that register custom URI handlers are particularly vulnerable, since a single malicious link could trigger the exploit. On Android, the risk comes from rogue apps that can hijack Unity-based software, with some researchers warning that even crypto wallets could be targeted. The impact has already been felt across the industry: popular titles such as Among Us, Fallout Shelter, Pentiment, Pillars of Eternity, and Overcooked 2 were temporarily pulled or patched. Even non-game Unity components, like bundled artbooks, were affected.

The Fix

Unity has released patched versions of the engine, including 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2, with backports available for 2019.1. Developers are strongly encouraged to rebuild and redeploy their projects using these patched versions. For those unable to rebuild immediately, Unity has also provided a binary patcher. On the defensive side, Microsoft has updated Defender to detect exploitation attempts, and Steam has added client-side protections to reduce the risk of malicious launches.

What Players Should Do

For players, the best defense is simple: keep your games updated. On Windows, be cautious with links that open Unity-based apps until you know they’ve been patched. On Android, avoid sideloading APKs and make sure your Unity-based games are updated through official channels. If you use your phone for crypto wallets, it may be wise to keep them isolated from gaming apps until the ecosystem has fully caught up with patches.

What Devs Should Do

For developers, the path forward is clear. Check your Unity version and upgrade to one of the patched releases. Rebuild and redeploy your projects as soon as possible, or apply Unity’s binary patcher if rebuilding isn’t an option. It’s also worth auditing whether your app registers custom URI handlers, since those are particularly high-risk in this scenario.

Final Thoughts

This vulnerability is a reminder that even the most popular engines are not immune to security flaws. The good news is that patches are already available and, so far, no active exploitation has been reported. Still, both gamers and developers need to stay alert and act quickly. For developers experimenting with Unity, even on small projects, it’s important to start with a patched version before shipping anything. Security, after all, is part of good game design.