CVE-2025-59489: Arbitrary Code Execution in Unity Runtime since 2017

Summary

CVE-2025-59489: Arbitrary Code Execution in Unity Runtime Posted on October 3, 2025 • 6 minutes • 1067 words Table of contents Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc. In May 2025, I participated in the Meta Bug Bounty Researcher Conference 2025. During this event, I discovered a vulnerability (CVE-2025-59489) in the Unity Runtime that affects games and applications built on Unity 2017.1 and later. In this article, I will explain the technical aspects of this vulnerability and its impact. This vulnerability was disclosed to Unity following responsible disclosure practices. Unity has since released patches for Unity 2019.1 and later, as well as a Unity Binary Patch tool to address the issue, and I strongly encourage developers to download the updated versions of Unity, recompile affected games or applications, and republish as soon as possible. For the official security advisory, please refer to Unity’s advisory here: https://unity.com/security/sept-2025-01 We appreciate Unity’s commitment to addressing this issue promptly and their ongoing efforts to enhance the security of their platform. Security vulnerabilities are an inherent challenge in software development, and by working together as a community, we can continue to make software systems safer for everyone. TL;DR A vulnerability was identified in the Unity Runtime’s intent handling process for Unity games and applications. This vulnerability allows malicious intents to control command line arguments passed to Unity applications, enabling attackers to load arbitrary shared libraries (.so files) and execute malicious code, depending on the platform. In its default configuration, this vulnerability allowed malicious applications installed on the same device to hijack permissions granted to Unity applications. In specific cases, the vulnerability could be exploited remotely to execute arbitrary code, although I didn’t investigate third-party Unity applications to f...