Unity Security Update,�What Do?

Gamedev Meeting

October 2025

Mark LaCroix

Contents

Gamedev Meeting - October 2025

5. Versioning, publishing, &� communicating to users

4. Patching existing builds

3. Creating new builds

2. Your options

1. Background

Unity Security Update,�What Do?

Background

Gamedev Meeting - October 2025

Background

• A security vulnerability exists in all applications built using Unity versions 2017.1 and later for Android, Linux, macOS, and Windows. Console targets, iOS, WebGL, and UWP are believed to be unaffected.
• Discovered in May 2025 by independent security researcher RyotaK as part of the Meta Bug Bounty Researcher Conference, and reported to Unity. It was not publicly disclosed by either party until October 3rd.
• The exploit takes advantage of the debugging capabilities of the runtime Unity Player when an application is launched using command line arguments.
• Arbitrary code can be inserted and executed, adopting the permissions/elevation level of the host application.
• This normally requires local machine access.
• For applications which register a custom URI scheme with the host system, it can also be executed remotely, but the researcher did not investigate specific games to test the exploit.

Background

• For the vast majority of games, these and other factors make this exploit a practical non-issue for users, but Unity is a general-purpose application framework, and this is (technically) a serious vulnerability.
• Unity: “There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers.”
• Also Unity: “All developers with affected projects must take action.”
• Recommendations are guided by the CVE (Common Vulnerabilities and Exposure) standard. This exploit is rated “high.”
• Unity is not making any distinctions between scripting backends or any other game/compiler configurations in its recommendations.

Background

• On Thursday, October 2nd, Unity published:
• Security Advisory knowledge base article
• Take Immediate Action to Protect Your Games and Apps forum thread
• Developer Remediation Guide knowledge base article
• Updated versions of the Unity Editor:� 6000 - | .3.0b4 | .2.6f2 | .1.17f1 | .0.58f2 |� 2023 - | .2.22f1 | .1.22f1 | | |� 2022 - | .3.62f2 | .2.23f1 | .1.25f1 | |� 2021 - .3.45f2 | .2.20f1 | .1.29f1 | | |� 2020 - .3.49f1 | .2.8f1 | .1.18f1 | | |� 2019 - .4.41f1 | .3.17f1 | .2.23f1 | .1.15f1 | |� 2018 - NONE� 2017 - NONE
• A Patching Tool utility for Windows and macOS
• (Android, macOS, and Windows games can all be patched using either version)

Background

• What would actually need to be updated in your game?
• No game code or assets.
• The “UnityPlayer” library is the only part of your game that needs to be updated, as the exploit relies on internal code paths:

Android: libunity.so and boot.config

Linux: UnityEngine.dll (Mono) / UnityPlayer.so (IL2CPP), and (probably) boot.config

macOS: UnityPlayer.dylib

Windows: UnityPlayer.dll

Background

• All games made in Unity 2017.1 or later are technically impacted. Your options are governed mainly by your distribution/publishing method, and “your level of concern.”
• Microsoft Defender (on Windows) already blocks this exploit in the wild, and other anti-virus providers are working to block it as well.
• Google Play Services (on Android) and Meta’s (Android-based) Quest platform will also block this exploit. AOSP versions of Android currently do not.
• Valve has told Unity that it plans to update the Steam application (on all desktop platforms) to address the issue as well.
• Valve is characteristically quiet about how exactly they plan to do this, but Steam often executes applications using command line arguments, so it’s possibly related to that.
• Ultimately, risk to users is very low, but the technical severity of the exploit may impact application store listings in the future for unpatched/non-updated titles.
• There are an extremely limited number of breaking changes to the corrected version of the UnityPlayer library, related to the techniques an attacker would exploit. This might limit your options to update older games.

Unity Security Update,�What Do?

Your�Options

Gamedev Meeting - October 2025

Your Options

For games in development

• Update your version of Unity Engine. Easy.
• Great excuse to update to a new minor (or even major) version if you’ve been putting it off.
• If you’ve already locked your major.minor version…
• Unity has issued point/patch updates to every minor version of the editor going back to 2019.1, so you’re good to go.
• These specific Editor updates only mitigate the security issue, so there is less possibility of unexpected breaking changes, particularly if you’re already up-to-date on patch releases (which if so, congrats on your dedication to Unity’s rapid-release scheme).

​

For released games

• You have three options…

Your Options

Option 1: Do Nothing

• This is a legitimate option.
• But… no one recommends this option.
• The consequences are currently unknown:
• Again, current risk to users is low to practically non-existent.
• Distribution platforms have not yet issued guidance or policies on this, but the sheer number of impacted games makes it unattractive for them to enforce a wide-spread takedown policy.
• From Unity’s FAQ:
• Do I need to take my game or application off any platforms to ensure users are protected?�There is no need to pull games or applications off any platforms. There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. Unity has proactively provided fixes to developers that address the vulnerability, and many of our platform partners have put additional protections in place.
• Unity is talking out of both sides of their mouth a little bit here.

Your Options

Option 2: Create a new build

• This is Unity’s first recommendation.
• For recent and currently-supported projects, this is the best path.
• Uses existing workflows.
• Maintains proper project versioning.
• Easy as could be.
• For older/out-of-support projects, or projects where the build toolchain cannot by easily (or reliably) re-created, this is a less attractive option.
• Unity versions before 2019.1 have not been updated, so games made with Unity versions between 2017.1 and 2018.4 must be patched instead.

Your Options

Option 3: Patch your existing build

• The best option for a quick resolution, especially for older projects.
• Unity’s patcher utility has made this very easy.
• Android (Google Play) considerations:
• Google is allowing a temporary exception to the submission rules to allow older games to release new versions without updating to an Android SDK minimum level. I haven’t investigated further, so see Google’s docs (if they exist yet) on this (it might require a support ticket).
• Linux considerations:
• The patching tool is not available for Linux and does not patch Linux games.
• This means Linux games made with versions 2017.1 though 2018.4 cannot be updated.
• Unity has said “The vulnerability presents a much lower risk on Linux.”
• Note: I didn’t update the Linux version of Widget Satchel.

Unity Security Update,�What Do?

Creating New Builds

Gamedev Meeting - October 2025

Creating New Builds

• You all know how to do this, this is merely my recommendations for best practices…
• The only update you should make is to the editor version.
• If you can avoid it, make no other changes to your game.
• Have a bugfix you’ve been putting off? Currently working on a content update?�Save that for another update.
• If you’re currently in the middle of updating your game (and 🤞 using version control)
• Commit/stash/fork your changes and go back to the commit for your last released version
• You are tagging commits with release version numbers, right??
• Update the Unity Editor to the latest patch version of the major.minor version you’re using.
• Create a new commit and tag it as an versioned update for your project. Then create a build.
• Re-apply your previous changes.
• If this creates a headache for you, then you can ignore it.
• If you’re in the middle of a major update, it might delay pushing the security fix.
• Let that be a lesson, yada yada…

Unity Security Update,�What Do?

Patching Existing Builds

Gamedev Meeting - October 2025

Patching Existing Builds

• Unity’s patching tool is very straightforward and self-evident, but there are a few things worth clarifying:
• For Windows and macOS, use a copy of the build you want to patch beforehand,�and KEEP TRACK OF IT. Rename the containing folder in advance.
• For Android, the patching tool will generate a new APK or AAB. Still though, KEEP TRACK.
• Because you are not creating a new build, you will need to come up with a logical versioning scheme that works with your existing system and the platform you are distributing on.

Patching

Existing Builds

Android

• Remember to update the Version Code!
• Use the handy “Query Version” button.
• Double-check signing information

Patching

Existing Builds

Windows

• Remember to create a copy of your build folder before patching, and patch the copy, not the original.
• I renamed the copy to reflect a new “patch” version number.

From 1.0.3 to 1.0.3.1

• UnityPlayer.dll is in the root of your game’s build folder.

Patching

Existing Builds

macOS

• macOS applications are folders in disguise. On macOS, you can copy and rename your copy, on Windows, I recommend storing macOS “.app” folders inside a parent folder and renaming the copy of that folder.
• In the Windows version of the patcher, it says “Path to application to update” but it’s actually looking for UnityPlayer.dylib, which is in:
• YourGame.app/Contents/Framework/

Patching Existing Builds

Considerations going forward

• This option is ideal for old games which you do not intend to update, or games which it is difficult to recreate the development environment for, but you may wish to update this game again in the future…
• Be sure to keep track the lifecycle of the patched version as it will fall outside of your normal versioning and build cataloguing systems.
• If for some reason you must continue use un-patched versions of Unity Editor to create new builds in the future (though I can’t imagine why you would), be sure to integrate the patching tool into your build process.

Unity Security Update,�What Do?

Versioning, Publishing, & Communicating to Users

Gamedev Meeting - October 2025

Versioning, Publishing, Communicating

Versioning and Publishing

• If using semantic versioning:
• For new builds: increment your patch version number by 1 (1.0.1 to 1.0.2)
• For patched builds: Since you are not updating any game code, and your game will contain the existing version number, I recommend adding an additional version number (1.0.3 to 1.0.3.1).
• This mostly only impacts your record-keeping.
• I strongly recommend pushing an update that contains only this patch. Why?
• This is a security update. In the world of games, we’re not used to strictly categorizing our updates in this way, but it is generally important to separate security updates from content or feature updates, so this is just good practice.

Versioning, Publishing, Communicating

Communicating

• Depending on your project, you may or may not wish to publish release notes.
• I recommend being upfront and plain about this update with your users.
• While the real-world impact of this exploit is low, as software developers we are served well to respect the CVE categorization of this issue, while clearly communicating the impact on users.
• Player awareness of this issue is currently low, but as more and more games are updated, and Unity’s messaging remains tip-toe-y, gamers will develop their own ideas about this unless we set the tone.
• Players are going to want to which of their games have been “fixed” and which haven’t.
• It might be tempting to “hide” this inside of another update, to avoid the topic should it become toxic amongst players (or you don’t want to announce that your game is made in Unity), but I believe that would backfire.
• If you must issue this along with other updates, be sure to highlight the security patch in your release notes.

Versioning, Publishing, Communicating

Example: Blippo+�(new build)

​

Versioning, Publishing, Communicating

Example: Widget Satchel�(patched build)

Unity Security Update,�What Do?

Questions?

Gamedev Meeting - October 2025