Key Takeaways
1. A critical security vulnerability (CVE-2025-59489) in Unity’s engine, allowing unauthorized code execution, has been discovered and affects versions from 2017.1 onwards.
2. The vulnerability received a “High” severity score of 8.4 out of 10, prompting Unity to issue urgent warnings for developers to update their games.
3. Unity provided immediate fixes for versions 2019.1 and later, along with a binary patcher tool for older builds back to 2017.1.
4. The discovery led to widespread panic in the gaming industry, with many developers rushing to patch their games, resulting in temporary removals from digital storefronts.
5. Unity’s swift response likely prevented a larger crisis, emphasizing the importance of addressing hidden vulnerabilities in older code.
A significant security issue that has been dormant in Unity’s engine since 2017 has recently come to light. Following its discovery, developers from all over the globe received a warning from the development platform, quickly urging them to recompile and republish their games to safeguard users.
Details of the Vulnerability
The vulnerability, identified as CVE-2025-59489, allows unauthorized code execution through argument injection in Unity Runtime. This means that attackers with local access could potentially load harmful libraries and gain elevated privileges.
This flaw was brought to attention on June 4, 2025, by security researcher RyotaK of GMO Flatt Security Inc. It impacts games and applications created with Unity version 2017.1 and newer, specifically on platforms like Android, Linux, and macOS.
Severity and Response
According to the Common Vulnerability Scoring System (CVSS), which evaluates the seriousness of software vulnerabilities, Unity 2017.1 received a “High” score of 8.4 out of 10.
Unity revealed this vulnerability on October 2, 2025, announcing that fixes would be made available on the same day for Unity Editor versions from 2019.1 onwards. They also introduced a binary patcher tool to retrofit builds dating back to 2017.1.
In its official security notice, Unity stated, “There is no evidence of any exploitation or vulnerability, nor has there been any impact on users or customers.” They added, “We have proactively provided fixes that address the vulnerability, and they are already available to all developers.”
Industry Reactions
The revelation led to widespread panic in the industry, with both major studios and indie developers rushing to update their titles, resulting in temporary removals from storefronts. On October 3, Obsidian Entertainment took down several Unity-based games, including Pillars of Eternity II: Deadfire and Pentiment. The developer of Among Us, Innersloth, along with Marvel Snap’s Second Dinner, confirmed they had issued patches for their mobile games.
In a similar vein, PsychoFlux Entertainment has reportedly patched 11 games on Steam, including Gravity Castle and Fingerdance, while Tenbris Studio made updates to its horror game “Your Computer Might be At Risk” on the platform.
This incident highlights that hidden vulnerabilities can still exist in older code. Nonetheless, Unity’s prompt action has likely mitigated what could have been a larger crisis for a game engine that supports around 750,000 games, from AAA projects to indie titles.
Source:
Link
Leave a Reply