Unity Technologies has published a security advisory warning developers and users of a high-risk vulnerability found in certain versions of the Unity Editor. The flaw, disclosed on October 2, 2025, affects applications and games built on Unity across multiple platforms, raising concerns about potential local code execution and information disclosure.
According to the advisory, the issue was identified as CVE-2025-59489 and is classified as a high-severity vulnerability with a CVSS score of 8.4. It allows unsafe file loading and local file inclusion depending on the operating system, which could in turn enable code execution or unauthorized access at the same privilege level as the application. The company emphasized, however, that there is “no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.”
The security risk was initially discovered on June 4, 2025, by RyotaK of GMO Flatt Security Inc., and Unity has since provided fixes that developers are strongly encouraged to implement. Patched Unity Editor versions include 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, and updates across the 2021, 2022, and 2023 branches. Out-of-support versions dating back to Unity 2019.1 have also received fixes, though older releases remain without patches.
The vulnerability has broad implications for applications running on Android, Windows, Linux, and macOS, with each platform facing a high-severity elevation of privilege risk. Unity has outlined remediation steps for developers, which include rebuilding applications in the latest Unity Editor or applying binary patches provided by the company.
Several titles have already received security updates in response. Notably, Cities Skylines 2 and Two Point Museum were among the games patched, while others may have been silently updated if they shared the same exploit pathway. Unity has also urged developers who use custom URI handlers in Windows environments to contact the company directly, as these configurations may increase the likelihood of exploitation.
Unity stressed that the fixes are available immediately and accessible through Unity Hub. While there has been no reported misuse of the vulnerability so far, the company is treating the matter with urgency to safeguard both developers and end users from potential risks.
