Home

Description

Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.

PUBLISHED Reserved 2025-09-16 | Published 2025-10-03 | Updated 2025-10-03 | Assigner mitre




HIGH: 7.4CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Product status

Default status
unaffected

6000.3 before 6000.3.0b4
affected

6000.2 before 6000.2.6f2
affected

6000.0 LTS before 6000.0.58f2
affected

2022.3 xLTS before 2022.3.67f2
affected

2021.3 xLTS before 2021.3.56f2
affected

6000.1 before 6000.1.17f1
affected

2023.2 before 2023.2.22f1
affected

2023.1 before 2023.1.22f1
affected

2022.3 LTS before 2022.3.62f2
affected

2022.2 before 2022.2.23f1
affected

2022.1 before 2022.1.25f1
affected

2021.3 LTS before 2021.3.45f2
affected

2021.2 before 2021.2.20f1
affected

2021.1 before 2021.1.29f1
affected

2020.3 before 2020.3.49f1
affected

2020.2 before 2020.2.8f1
affected

2020.1 before 2020.1.18f1
affected

2019.4 LTS before 2019.4.41f1
affected

2019.3 before 2019.3.17f1
affected

2019.2 before 2019.2.23f1
affected

2017.1.2p4 before 2019.1.15f1
affected

References

unity.com/security

unity.com/security/sept-2025-01

flatt.tech/...sts/arbitrary-code-execution-in-unity-runtime/

cve.org (CVE-2025-59489)

nvd.nist.gov (CVE-2025-59489)

Download JSON