this post was submitted on 03 Oct 2025
64 points (100.0% liked)

Game Development

5030 readers
88 users here now

Welcome to the game development community! This is a place to talk about and post anything related to the field of game development.

Community Wiki

founded 2 years ago
MODERATORS
Ategon@programming.dev
LiquidityC@programming.dev
Frank@programming.dev
64
A code execution security vulnerabilty has been identified in all games built with Unity 2017 and later (unity.com)
submitted 13 hours ago by Mikina@programming.dev to c/gamedev@programming.dev
6 comments fedilink hide all child comments
 

Unity has been sounding the alarm about a code execution vulnerability that has been identified in all applications built with vulnerable editor.

While there's definitely no harm in patching, in my personal opinion, the situation is needlessly overblown. I have worked in offensive cybersecurity, and the fact that Unity game allows you to locally run a code that

would be confined to the privilege level of the vulnerable application, and information disclosure would be confined to the information available to the vulnerable application.

is not really exploitable. Since the attack vector is local, the attacker already has to have read/write/execute access to the application and your system, which usually means you have way bigger problems.

Not to mention that since Unity suffers with .dll injection vulnerability (which is what most mods are using), the attacker can do the same by simply replacing a .dll file of the game.

So, patch up if you can, but if you're not able or can't be bothered, in my opinion, it doesn't really matter. But please prove me if I'm wrong.

top 6 comments
sorted by: hot top controversial new old
[–] GammaGames@beehaw.org 11 points 9 hours ago* (last edited 9 hours ago) (2 children)

Apparently the biggest risk is that another malicious application could modify the intent urls of the runtime to pass extra arguments to the command line and run arbitrary code whenever you start a unity game. Apparently permissions could be escalated on windows but only if you registered the app as a custom URL schema handler

It’s an easy attack vector to drain crypto wallets!

[–] SleeplessCityLights@programming.dev 4 points 2 hours ago (1 children)

I didn't want to take any Risks. So did the fix first thing in the morning and had QAs doing tests all morning. Pushed the fixed build after lunch. The fix was really simple with a Unity made tool. It was actually clear and understandable, unlike the messes Unity usually ships.

[–] GammaGames@beehaw.org 1 points 2 hours ago

LOL yeah, they took this seriously and handled it well

[–] Mikina@programming.dev 2 points 6 hours ago (1 children)

I see, but still - how is that different from a regular old .dll injection? Or, just replacing the .exe alltogether.

If you're at the point of R/W/X on a machine, then you have a lot of similar vectors of attack.

That is, assuming there's no privilege escalation, which the vuln report does not mention.

[–] GammaGames@beehaw.org 2 points 6 hours ago (1 children)

The attack is through other unrelated apps that get installed, so if some shitty todo app gets compromised the rest of the games that use the unpatched runtime can be targeted. Yes, the risks are probably pretty minimal, but app permissions on android are not well-known for their sensibility.

Also on windows:

your Unity app could be vulnerable to privilege escalation if it is registered as a custom URL schema handler.

[–] entwine@programming.dev 2 points 5 hours ago

Interesting, can you pass arbitrary command line arguments via a URL like that on Windows? If so, this could be catastrophic if all you need is a malicious link on any website to trigger it.