An employee of GMO Flatt Security Inc, RyotaK, found a vulnerability of Unity Runtime. This vulnerability affects almost all kind of version of unity engine.

According to one's description, this vulnerability allows malicious intents to control command line arguments passed to Unity applications, enabling attackers to load arbitrary shared libraries (.so files) and execute malicious code, depending on the platform.

Unity official claims that, there is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.

Following unity official guidance, I've updated engine version, and rebuilt application.

Not knowing if there's any BUG after updating, therefore I kept the old version of application. You can get the old version by accessing release_windows branch. Please notice: the old version has CVE-2025-59489 vulnerability, the consequences are at your own risk.

References:

安全更新公告 --- Security Update Advisory

CVE-2025-59489: Unity 运行时任意代码执行 - GMO Flatt 安全研究 --- CVE-2025-59489: Arbitrary Code Execution in Unity Runtime - GMO Flatt Security Research

CVE 记录：CVE-2025-59489 --- CVE Record: CVE-2025-59489