A high-severity vulnerability in the Unity Runtime, tracked as CVE-2025-59489 with a CVSS score of 8.4, exposes Unity-built apps to arbitrary code execution on Android and, under specific conditions, privilege escalation on Windows. The flaw has existed since Unity 2017.1. Vendor responses are underway: Unity has issued patches, Valve updated the Steam client, and Microsoft published interim risk-reduction guidance.
What happened: critical Unity Runtime input validation flaw
The issue, reported by GMO Flatt Security researcher RyotaK, stems from unsafe file loading and local file inclusion (LFI) within the Unity Runtime. In practice, this allows untrusted libraries to be loaded into a game process, enabling code execution and potential information disclosure. Unity notes exploitation is limited to the privileges of the vulnerable application, yet the breadth of affected titles makes this a significant ecosystem risk.
How exploitation works: -xrsdk-pre-init-library and library load hijacking
The root cause is insufficient validation of the command-line argument -xrsdk-pre-init-library. On Android, crafted Intents can redirect the runtime to a malicious native library supplied by another app on the device, causing the target game to load and execute attacker-controlled code. The resulting code runs in the game’s context, inheriting its permissions and access to local data.
Similar risks exist on Windows, macOS, and Linux when untrusted parameters can be injected into the launch path or when attackers influence library search paths. On Windows, this resembles classic DLL search-order hijacking: if a game or launcher resolves libraries from attacker-controlled paths, code execution may occur and, in chained scenarios, can facilitate privilege escalation (for example, when invoked by a higher-privileged component). These cross-platform preconditions explain the high severity rating.
Scope and vendor responses: affected titles and ecosystem impact
Unity underpins thousands of mobile, PC, and console games, plus real-time 3D applications beyond gaming. Microsoft’s assessment lists well-known Unity releases as potentially affected, including Hearthstone, The Elder Scrolls: Blades, Fallout Shelter, DOOM (2019), Wasteland 3, and Forza Customs. Unity reports no evidence of in-the-wild exploitation at this time, but the exposure surface is wide due to the long tail of Unity versions.
Following disclosure, Valve updated Steam to block risky custom URI schemes that could pass untrusted arguments to games at launch. Microsoft issued Defender updates and advised users to temporarily remove vulnerable games until patched builds are available, a conservative measure to cut off common delivery vectors. These steps align with typical mitigations for argument injection and library-loading attacks documented across software ecosystems.
Patches and upgrade status: Unity versions and game updates
Unity has released fixes, including for branches officially out of support from 2019.1 onward. Older releases will not receive updates. Developers should upgrade the Unity Editor, rebuild and republish their apps, and ship the corrected Unity Runtime. Valve recommends rebuilding on patched Unity versions or, where permissible, deploying a fixed UnityPlayer.dll into existing builds.
Studios are responding: Obsidian temporarily delisted several titles (e.g., Grounded 2 Founders Edition, Avowed Premium Edition, Pillars of Eternity, Pillars of Eternity II: Deadfire, Pentiment) pending updates. Fixes have already shipped for Marvel Snap, No Rest for the Wicked, Ingress, and Fate/Grand Order, with a Persona 5: The Phantom X patch in development.
Risk analysis: attacker model and practical impact
On Android, exploitation generally requires a co-resident malicious app capable of issuing crafted Intents or file paths. The result is code execution within the game’s sandbox, enabling credential theft, session hijacking, or tampering with in-game assets. On desktop platforms, the risk increases where launchers, URI handlers, or environment variables allow argument injection or path manipulation. Combined with weak file permissions or elevated launch contexts, this can create a path to lateral movement or local privilege escalation.
Mitigation guidance for developers and users
For developers
Upgrade immediately to a Unity version patched for CVE-2025-59489, rebuild, and redistribute. Audit command-line handling, custom URI schemes, and launchers to ensure untrusted inputs are rejected. On Windows, use safe library loading patterns (absolute paths, LoadLibraryEx with restricted search, code signing) and avoid relying on default search order. On Android, minimize exposed components and scrutinize Intents and permissions to prevent untrusted file access.
For users
Follow Microsoft’s advice: temporarily remove vulnerable games and reinstall once updates are available. Update Steam and Microsoft Defender to the latest versions. On Android, avoid sideloading and uninstall unknown apps that could interact with installed games via inter-process mechanisms.
Securing the Unity supply chain requires strict validation of launch arguments and deterministic, locked-down library loading across platforms. Prompt adoption of patched Unity Runtime builds will significantly reduce risk. Users should watch for updates to their favorite titles and apply patches promptly—fast remediation remains the most effective defense against code execution and data compromise.
