Vulnerability Description
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Unity | Editor | >= 2017.4, <= 2018.4 |
| Apple | Macos | - |
| Android | - | |
| Linux | Linux Kernel | - |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://flatt.tech/research/posts/arbitrary-code-execution-in-unity-runtime/ExploitThird Party Advisory
- https://unity.com/security#security-updates-and-patchesProduct
- https://unity.com/security/sept-2025-01Vendor Advisory
FAQ
What is CVE-2025-59489?
CVE-2025-59489 is a vulnerability with a CVSS score of 7.4 (HIGH). Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with...
How severe is CVE-2025-59489?
CVE-2025-59489 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-59489?
Check the references section above for vendor advisories and patch information. Affected products include: Unity Editor, Apple Macos, Google Android, Linux Linux Kernel, Microsoft Windows.