CVE-2025-59489
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-03

Last updated on: 2025-10-22

Assigner: MITRE

Description
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-03
Last Modified
2025-10-22
Generated
2026-06-16
AI Q&A
2025-10-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59489
EUVD
EUVD-2025-32504
Affected Vendors & Products
Showing 27 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.15.160 (inc) to 5.16 (inc)
unity editor From 2017.4 (inc) to 2018.4 (inc)
unity editor From 2019.1 (inc) to 2019.1.15f1 (exc)
unity editor From 2019.2 (inc) to 2019.2.23f1 (exc)
unity editor From 2019.3 (inc) to 2019.3.17f1 (inc)
unity editor From 2019.4 (inc) to 2019.4.41f1 (exc)
unity editor From 2020.1 (inc) to 2020.1.18f1 (exc)
unity editor From 2020.2 (inc) to 2020.2.8f1 (exc)
unity editor From 2020.3 (inc) to 2020.3.49f1 (exc)
unity editor From 2021.1 (inc) to 2021.1.29f1 (exc)
unity editor From 2021.2 (inc) to 2021.2.20f1 (exc)
unity editor From 2021.3 (inc) to 2021.3.45f2 (exc)
unity editor From 2022.1 (inc) to 2022.1.25f1 (exc)
unity editor From 2022.2 (inc) to 2022.2.23f1 (exc)
unity editor From 2022.3 (inc) to 2022.3.62f2 (exc)
unity editor From 2023.1 (inc) to 2023.1.22f1 (exc)
unity editor From 2023.2 (inc) to 2023.2.22f1 (exc)
unity editor From 6000.0 (inc) to 6000.0.58f2 (exc)
unity editor From 6000.1 (inc) to 6000.1.17f1 (exc)
unity editor From 6000.2 (inc) to 6000.2.6f2 (exc)
unity editor From 6000.3 (inc) to 6000.3.0b4 (exc)
unity editor 2017.1.2p4\+
unity editor 2017.2.0p4\+
unity editor 2017.3.0b9\+
apple macos *
google android *
microsoft windows *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Unity Editor versions 2019.1 through 6000.3 allows remote attackers to exploit file loading and Local File Inclusion (LFI) mechanisms via a crafted local application due to an Untrusted Search Path. This means attackers can manipulate how the application loads files, potentially causing unauthorized changes to runtime resources and third-party integrations.

Impact Analysis

The vulnerability could permit unauthorized manipulation of runtime resources and third-party integrations in applications built with Unity and deployed on Android, Windows, macOS, and Linux. This could lead to compromised application integrity, data corruption, or execution of malicious code.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart