Unity Security Update CWE-426: Untrusted Search Path

1 month ago 2

Vulnerability Details

CVE ID: CVE-2025-59489

Date Discovered: June 4, 2025

Discovered By: RyotaK of GMO Flatt Security Inc.

Date Patch Available: October 2, 2025

Affected Operating System: See Affected Operating Systems Table

Affected Versions: See Unity Editor Versions Table

Patched Versions: See Unity Editor Versions Table

Vulnerability Type: CWE-426: Untrusted Search Path

Severity: High

CVSS Score: 8.4

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Potential

Could allow local code execution and access to confidential information on end user devices running unity-built applications. Code execution would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.

Unity Editor Versions Table

Applications built with the indicated versions of the Unity Editor prior to the Patched Versions are considered vulnerable.

Current in Support Versions

Affected Platforms Table

Applications built with affected versions of the Unity Editor and released on these platforms could be impacted by the vulnerability.

Note: If a platform is not listed, there have been no findings to suggest that the vulnerability is exploitable.

On Microsoft Windows systems, the presence of a registered custom URI handler for a vulnerable application or handler name could increase the risk of exploitation. If a custom URI scheme is present and can be invoked on the target system, an attacker who can cause that URI to be opened could trigger the vulnerable library-loading behavior without needing direct command-line access. Potential exploitation remains constrained to the privileges of the targeted application and to the data and services accessible to that process. Entities that routinely create registered URI handlers for Unity applications are encouraged to contact Unity directly at [email protected].

Remediation Steps

Rebuild Application

  • Update the Unity Editor to the newest version then rebuild and redeploy the application.

Binary Patch

  • Using the Unity Binary Patch tool for the target platform, the Unity runtime library can be replaced with a patched version of the library.

FAQ

My application or game is released on a platform or operating system not listed, what should I do?

+

How was the vulnerability discovered?

+

What is the process for reporting future vulnerabilities to Unity?

+

Read Entire Article
  1. Homepage
  2. Technology
  3. Unity Security Update CWE-426: Untrusted Search Path

Related

Show HN: TunnelBuddy – Share your internet via HTTPS proxy over WebRTC

Show HN: TunnelBuddy – Share your internet via HTTPS proxy o...

8 minutes ago 0
Ten years and 100B dollars later: where is Meta's metaverse?

Ten years and 100B dollars later: where is Meta's metaverse?...

15 minutes ago 0
Comparing the run-time performance of Fil-C and ASAN

Comparing the run-time performance of Fil-C and ASAN

15 minutes ago 0
Hostinger Web Hosting