A newly disclosed high-severity vulnerability in the Unity Runtime could allow attackers to execute arbitrary code on systems running Unity-built applications across Android, Windows, Linux, and macOS.
The flaw, tracked as CVE-2025-59489, affects all Unity projects built with Unity Editor version 2017.1 and newer, potentially impacting thousands of games and apps, including top mobile titles.
The vulnerability was discovered by RyotaK, a security engineer at GMO Flatt Security Inc., during the Meta Bug Bounty Researcher Conference 2025. The issue was responsibly disclosed to Unity on June 4, 2025, and a coordinated remediation effort followed.
On October 2, 2025, Unity released a patch covering all supported versions from Unity 2019.1 onward. In addition, it provided a Unity Binary Patch tool for developers unable to recompile full builds.
Vulnerability details
Unity-built Android apps automatically export an activity called UnityPlayerActivity, which accepts the Unity extra to pass command-line arguments. This feature, while convenient for developers, introduces a critical risk where any app on the same device can send crafted Intents with malicious arguments to Unity apps.
A specific command-line argument, -xrsdk-pre-init-library, is parsed by the Unity Runtime to load a shared native library using the dlopen() function. This behavior effectively allows attackers to point the argument to a malicious .so (shared object) file, and execute arbitrary code within the Unity app’s process.
This exploit chain can extend to remote attack vectors under certain conditions. If the Unity app has exported a browsable activity and handles custom URI schemes, a malicious website could launch the app with crafted extras. While Android’s SELinux policy mitigates direct file loading from shared storage like Downloads, apps that cache attacker-controlled content into private storage remain at risk, especially if that data can be interpreted as a native library.
Widespread impact
Unity Technologies, one of the most widely adopted game development platforms, powers approximately 70% of all mobile games. Its cross-platform support spans Android, Windows, Linux (desktop and embedded), and macOS, all of which are impacted by this vulnerability.
The issue impacts games and applications compiled with Unity Editor versions 2017.1 and later, across both in-support and out-of-support versions. Unity has only provided patched builds for versions starting from 2019.1.
On Windows, the vulnerability could be exploited via registered custom URI handlers. For instance, a malicious website could launch a Unity app via a URI containing the dangerous -xrsdk-pre-init-library parameter, leading to code execution in the context of the game. On macOS, similar risks apply if Unity apps are launched with external inputs that allow attacker-supplied arguments. On Android, exploitation is simpler due to the Intent system.
Valve has rolled out an update to its Steam client, blocking launch attempts that contain any of the four vulnerable Unity command-line parameters, effectively preventing exploitation through steam:// or desktop shortcuts.
Microsoft issued an advisory confirming that some of its own applications and games were affected, recommending temporary uninstallation of vulnerable apps and enabling Microsoft Defender, which now detects and blocks exploitation attempts. Xbox, Xbox Cloud Gaming, and iOS apps are not affected.
Leave a Reply