CVE-2025-59489: Arbitrary Code Execution in Unity Runtime since 2017
7 hours ago
- #Unity
- #Vulnerability
- #Security
- CVE-2025-59489 is a vulnerability in Unity Runtime affecting games and applications built on Unity 2017.1 and later.
- The vulnerability allows malicious intents to control command line arguments, enabling arbitrary code execution.
- Attackers can exploit this to load arbitrary shared libraries (.so files) and execute malicious code within the context of Unity applications.
- Local exploitation is possible via malicious applications on the same device, while remote exploitation requires specific conditions.
- Unity has released patches for versions 2019.1 and later, urging developers to update and recompile affected applications.
- The vulnerability was discovered during the Meta Bug Bounty Researcher Conference 2025 and responsibly disclosed to Unity.
- SELinux restrictions mitigate most remote exploitation scenarios, but local attacks remain feasible.
- The article highlights the importance of security in frameworks and libraries, promoting awareness and proactive measures.