Developers urged to patch games immediately as major Unity security flaw discovered after 8 years

A critical security vulnerability that has been sitting idly in Unity’s engine since 2017 has now been exposed. Upon its discovery, developers worldwide were issued a warning by the development platform, with notifications immediately urging devs to recompile and republish their games to protect users.

The vulnerability CVE-2025-59489 enables arbitrary code execution through argument injection in Unity Runtime, allowing potential attackers with local access to load malicious libraries and escalate their privileges.

The vulnerability was discovered on June 4, 2025, by security researcher RyotaK of GMO Flatt Security Inc. The security vulnerability affects games and apps built with Unity version 2017.1 and later on Android, Linux, and macOS.

According to CVSS, the Common Vulnerability Scoring System, which is a method used to measure the severity of a software vulnerability, Unity 2017.1 scores a “High” 8.4 out of 10.

Unity disclosed this vulnerability on October 2, 2025, urging that fixes will be rolled out the same day for Unity Editor versions starting from 2019.1, alongside a binary patcher tool for retrofitting builds dating back to 2017.1.

In its official security advisory, Unity insisted, “There is no evidence of any exploitation or vulnerability, nor has there been any impact on users or customers.” Unity further stated, “We have proactively provided fixes that address the vulnerability, and they are already available to all developers.”

Unity ended the advisory post with these closing remarks: “Unity is dedicated to the security and integrity of our platform, our customers, and the wider community. Transparent communication is central to this commitment, and we will continue to provide updates as necessary.”

This discovery did cause mass hysteria across the industry as major studios and indie devs raced to update titles, leading to temporary storefront removals. Obsidian Entertainment pulled several Unity-built games, including Pillars of Eternity II: Deadfire and Pentiment, on October 3. Among Us developer Innersloth and Marvel Snap’s Second Dinner also confirmed patches for their mobile titles.

Similarly, PsychoFlux Entertainment has reportedly patched 11 Steam games like Gravity Castle and Fingerdance, while Tenbris Studio updated its horror game “Your Computer Might be At Risk” on Steam.

The episode shows that unfound vulnerabilities still lurk in legacy code. However, Unity’s swift response may have limited the fallout that would otherwise be in play for a game engine that powers as many as 750,000 games, ranging from AAA titles to indies alike.

Buy Learning C# by Developing Games with Unity on Amazon