Unity has been sounding the alarm about a code execution vulnerability that has been identified in all applications built with vulnerable editor.
While there's definitely no harm in patching, in my personal opinion, the situation is needlessly overblown. I have worked in offensive cybersecurity, and the fact that Unity game allows you to locally run a code that
would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.
is not really exploitable. Since the attack vector is local, the attacker already has to have read/write/execute access to the application and your system, which usually means you have way bigger problems.
Not to mention that since Unity suffers with .dll injection vulnerability (which is what most mods are using), the attacker can do the same by simply replacing a .dll file of the game.
So, patch up if you can, but if you're not able or can't be bothered, in my opinion, it doesn't really matter. But please prove me if I'm wrong.
I didn't want to take any Risks. So did the fix first thing in the morning and had QAs doing tests all morning. Pushed the fixed build after lunch. The fix was really simple with a Unity made tool. It was actually clear and understandable, unlike the messes Unity usually ships.
LOL yeah, they took this seriously and handled it well