CVE-2025-59489
HIGHDescription
Unity Runtime before 2025-10-02 on Android, Windows, macOS, and Linux allows argument injection that can result in loading of library code from an unintended location. If an application was built with a version of Unity Editor that had the vulnerable Unity Runtime code, then an adversary may be able to execute code on, and exfiltrate confidential information from, the machine on which that application is running. NOTE: product status is provided for Unity Editor because that is the information available from the Supplier. However, updating Unity Editor typically does not address the effects of the vulnerability; instead, it is necessary to rebuild and redeploy all affected applications.
Is your site exposed to CVE-2025-59489?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| unity | editor |
| apple | macos |
| android | |
| linux | linux_kernel |
| microsoft | windows |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2025-59489? +
How severe is CVE-2025-59489? +
What products are affected by CVE-2025-59489? +
How do I check if I'm vulnerable to CVE-2025-59489? +
Related Vulnerabilities
A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument. A …
Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows …
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations …
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects …
XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command …
Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a …