收到谷歌商店邮件,建议采取行动 。。。
您好!近期的审核结果表明,您的应用“xxx”(com.xxx) 存在最近发现的漏洞,因此需要进行重大安全修复。
该漏洞可能会影响在 Unity 2017.1 及更高版本中构建的 Android 游戏和应用。
目前没有证据表明该漏洞已被恶意利用,该漏洞也未对客户的用户造成任何影响。受此问题影响,
您的应用违反了我们的一项或多项开发者计划政策。请参阅下方内容,详细了解该应用的状态、Unity
提供的问题修正指导,以及提交应用更新版本的后续步骤。
Unity Platform Protection: Developer Remediation Guide
Unity Platform Protection: Take Immediate Action to Protect Your Games and App already give more detail information about this issue.
An important message
A security vulnerability was identified that affects games and applications built on Unity versions 2017.1 and later for Android, Windows, Linux, and macOS operating systems. There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers. We have proactively provided fixes that address the vulnerability, and they are already available to all developers. The vulnerability was responsibly reported by the security researcher RyotaK, and we thank him for working with us.
Key Facts:
- There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.
- Unity has worked in close collaboration with our platform partners who have taken further steps to secure their platforms and protect end users.
- Released games or applications using Unity 2017.1 or later for Windows, Android, macOS, or Linux may contain this vulnerability.
- Unity has released an update for each of the major and minor versions of the Unity Editor starting with Unity 2019.1.
- Unity has released a binary patcher to patch already-built applications dating back to 2017.1.
What Actions Should You Take?
You need to take action if you have developed and released a game or application using Unity 2017.1 or later for Windows, Android, or macOS. It is imperative that you review the following guidance to ensure the continued safety of your users.
If your project is still in active development:
- Download the patched update for your version of the Unity Editor, available via Unity Hub or the Unity Download Archive, before building and publishing. This will ensure that your releases are fully protected.
Games and applications already built:
- We strongly recommend you download the patched update for your version of the Unity Editor, recompile, and republish your application.
- We have provided a tool to patch already-built applications dating back to 2017.1 for Android, Windows, and macOS for developers who prefer not to rebuild their projects. The tool can be accessed here.
For Android or Windows Applications, some additional protections are being put in place:
- If your Android application is distributed via Google Play, other third-party Android App stores, or direct download: As an additional layer of defense, Android’s built-in malware scanning and other security features will help reduce risks to users posed by this vulnerability. This does not replace the time critical need to apply the patch update for affected apps. (These protections do not apply to AOSP-based platforms unaffiliated with Google.)
- If your application targets Windows: For Windows-based applications, Microsoft Defender has been updated and will detect and block the vulnerability. Valve will issue additional protections for the Steam client.
If your application employs tamper-proofing or anti-cheat solutions:
- You will need to rebuild your project with the patched update for your version of the Unity Editor and redeploy to maintain these protections. Patching your existing application isn’t possible because it will trip the tamper protection.
Additional Platforms:
- For Horizon OS: Meta devices have implemented mitigations so that vulnerable Unity apps running on Horizon OS cannot be exploited.
- For Linux: The vulnerability presents a much lower risk on Linux compared to Android, Windows, and macOS.
- For all other Unity-supported platforms including iOS, there have been no findings to suggest that the vulnerability is exploitable.
- For the best protection, we always recommend you are on the latest patch release of the version of Unity you are using.
Consumer Guidance:
- There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers.
- Advise your users to keep their devices and applications updated, enable automatic updates, and maintain current antivirus software.
- Encourage security best practices, including avoiding suspicious downloads and routinely updating all software.
CVE-2025-59489 Patcher Tool
This above link page allows you access the patch for your games and apps. For short-cut, I list the patched unity editor versions here.
Patched Unity Editor Versions:
6000.3 LTS: 6000.3.0b4
6000.2: 6000.2.6f2
6000.1: 6000.1.17f1
6000.0 LTS: 6000.0.58f2
2023.2: 2023.2.22f1
2023.1: 2023.1.22f1
2022.3 xLTS: 2022.3.67f2
2022.3 LTS: 2022.3.62f2
2022.2: 2022.2.23f1
2022.1: 2022.1.25f1
2021.3 xLTS: 2021.3.56f2
2021.3 LTS: 2021.3.45f2
2021.2: 2021.2.20f1
2021.1: 2021.1.29f1
2020.3 LTS: 2020.3.49f1
2020.2: 2020.2.8f1
2020.1: 2020.1.18f1
2019.4 LTS: 2019.4.41f1
2019.3: 2019.3.17f1
2019.2: 2019.2.23f1
2019.1: 2019.1.15f1
Conclude
You may wandering whether we could fix the security vulnerability without upgrade unity version. If you ask gpt, it will give you some ideas that suggest use the old unity version but with latest or the right version of android sdk & ndks. I tried this method, but it came out a lot of compiling errors. After several configuration changes, I give up. Because I do not want to mess the whole unity compile configuration. Some macro needs to remove or added, some setting change like that.
This security vulnerability came from unity itself. 2022.3.62f2 will not have such vulnerability, but 2022.3.62f1 do have. Even a very minor change, the result is big difference. I come across this warning while submit apps with 2022.3.62f1. And no warning for 2022.3.62f2. So it is very obvious that vulnerability comes from unity itself. Currently there is no choice but to upgrade the right unity version.
Choose the right unity version & upgrade your app SDKs at the same time. Good Luck!
Final thoughts
As a unity app developer for Google Play Store, i want to ask you a question: are you ok after tribble killing from GooglePlay Store? In the last several months, we came across intrusive ads issue, 16KB issue and now a security vulnerability issue. What will be next?
