CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-25918

Game Over: Unity-CLI Spills Secrets in Verbose Mode

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 10, 2026·4 min read·20 visits

Executive Summary (TL;DR)

If you used `unity-cli` versions < 1.8.2 with the `--verbose` flag, your Unity credentials (password, serial, token) were printed in plaintext to your console logs. Attackers with access to your CI/CD history or shell logs can harvest these secrets.

In the world of DevOps, visibility is everything. We want logs, metrics, and traces. But sometimes, tools give us a little *too much* visibility. The `unity-cli` tool, a popular wrapper for automating Unity Game Engine tasks, was found to be indiscriminately logging sensitive credentials—passwords, serials, and auth tokens—directly to standard output when the `--verbose` flag was engaged. This vulnerability turns your CI/CD logs into a treasure map for attackers looking to hijack your game development pipeline.

The Hook: Debugging Too Hard

Automation is the lifeblood of modern game development. Nobody wants to manually click 'Build' in the Unity Editor twenty times a day. Enter @rage-against-the-pixel/unity-cli, a nifty TypeScript wrapper that makes headless Unity builds on CI/CD servers bearable.

Like any good CLI tool, it offers a --verbose flag. When things go wrong (and with Unity, they always go wrong), developers instinctively reach for this flag to see what's happening under the hood. It’s a standard debugging reflex.

However, in this specific instance, that reflex was dangerous. The developers behind unity-cli made a classic error: they confused 'debugging context' with 'data dumping'. By trying to be helpful and show the user exactly what arguments were being passed to the system, they inadvertently built a mechanism to broadcast the keys to the kingdom.

The Flaw: Lazy Serialization

The vulnerability (CWE-532) boils down to a single line of code that prioritized convenience over hygiene. The application uses the popular commander library to parse command-line arguments. This library returns an options object containing every flag passed by the user.

The flaw resided in src/cli.ts. When the verbose flag was detected, the application decided to log the entire configuration state. Instead of selectively logging safe parameters (like buildTarget or projectPath), the code blindly passed the entire options object to JSON.stringify().

This is the digital equivalent of emptying your pockets onto the table to find your keys, but also dropping your credit card, social security card, and diary in the process. Because JSON.stringify() is impartial, it serialized everything: email, password, serial, and token included.

The Code: The Smoking Gun

Let's look at the diff. It’s rare to see a vulnerability so concise yet so damaging. In the vulnerable versions, the logging logic was brutally simple:

// src/cli.ts (Vulnerable)
program.command('sign-package')
    .action(async (options) => {
        if (options.verbose) {
            Logger.instance.logLevel = LogLevel.DEBUG;
        }
 
        // 💀 THE KILL SHOT: 
        // Direct serialization of the raw options object
        Logger.instance.debug(JSON.stringify(options)); 
        
        // ... logic continues ...
    });

The fix, introduced in commit 8d4d67b23d7c5fd8f00df3f0f10bec2961c95342, implements a sanitization layer. The developers added a scrubSensitiveData method that recursively walks the object and checks keys against a blacklist.

// src/logger.ts (Patched)
private readonly SENSITIVE_KEYS = [
    'password', 'email', 'serial', 'token', 
    'config', 'organization', 'username'
];
 
private scrubSensitiveData(obj: any): any {
    // ... recursion logic ...
    if (this.SENSITIVE_KEYS.includes(key)) {
        newObj[key] = '[REDACTED]';
    }
    // ...
}

They also added maskCredential to hook into CI-specific masking features (like GitHub Actions ::add-mask::), ensuring that even if a value slips through elsewhere, the runner UI might still hide it.

The Exploit: Scroll Justacking

Exploiting this doesn't require a disassembler or a heap spray. It requires a web browser and a scroll wheel. We call this 'Scroll Justacking'.

The Scenario:

  1. Target Selection: Find a public GitHub repository or a compromised Jenkins instance that uses unity-cli for building game artifacts.
  2. The Trigger: Look for a failed build. Developers often commit a change enabling --verbose to diagnose why a build is failing in CI, or they have it enabled by default in a 'Debug' workflow.
  3. The Execution: The CI runner executes:
    unity-cli activate-license --email "admin@studio.com" --password "S3cr3tUnityP@ss" --verbose
  4. The Loot: The logs output:
    {"email":"admin@studio.com","password":"S3cr3tUnityP@ss","verbose":true}

Once an attacker has these credentials, they can log into the Unity ID portal, revoke licenses (causing a denial of service for the dev team), or potentially access cloud build artifacts depending on the scope of the account.

The Fix: Rotate and Redact

If you are using @rage-against-the-pixel/unity-cli, patching is mandatory. The fix was released in version 1.8.2.

Immediate Steps:

  1. Update: npm install -g @rage-against-the-pixel/unity-cli@latest.
  2. Scrub Logs: Go through your CI/CD history. If you see [REDACTED] in your new logs, great. But your old logs are static text files stored on S3 or GitHub's servers. They still contain the plaintext passwords. You must delete these logs.
  3. Rotate Credentials: This is the most important step. If you ever ran this tool with --verbose, assume your Unity password and serial keys are public knowledge. Change them immediately.

For Developers:

This serves as a grim reminder: Never trust the user input object. Always use an explicit allowlist when logging configuration objects. If you must log a 'context' object, pass it through a sanitization function first. And for the love of security, if your tool handles passwords, consider accepting them via environment variables (UNITY_PASSWORD) rather than CLI flags to avoid them showing up in process lists (ps aux) as well.

Official Patches

RageAgainstThePixelCommit fixing the logging vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score
5.9/ 10
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Probability
0.04%
Top 100% most exploited

Affected Systems

@rage-against-the-pixel/unity-cli < 1.8.2GitHub Actions Workflows using unity-cliJenkins Pipelines using unity-cliGitLab CI Runners using unity-cli

Affected Versions Detail

Product
Affected Versions
Fixed Version
@rage-against-the-pixel/unity-cli
RageAgainstThePixel
< 1.8.21.8.2
AttributeDetail
CWE IDCWE-532
Attack VectorLocal / Context Dependent
CVSS5.9 (Medium)
Confidentiality ImpactHigh
Integrity ImpactNone
Exploit StatusTrivial (Log Inspection)

MITRE ATT&CK Mapping

T1552.003Unsecured Credentials: Bash History
Credential Access
T1552.001Unsecured Credentials: Credentials In Files
Credential Access
CWE-532
Insertion of Sensitive Information into Log File

Known Exploits & Detection

ManualLog inspection of CI/CD pipelines running with --verbose

Vulnerability Timeline

Patch Committed (v1.8.2)
2026-02-08
Public Disclosure via GHSA
2026-02-09
CVE Assigned
2026-02-09

References & Sources

  • [1]GitHub Advisory GHSA-4255-c27h-62m5

More Reports

•15 minutes ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
1 views•6 min read
•about 1 hour ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
2 views•6 min read
•about 1 hour ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
3 views•6 min read
•about 2 hours ago•CVE-2026-48594
8.2

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 2 hours ago•CVE-2026-48595
8.2

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

Alon Barad
Alon Barad
3 views•5 min read
•about 3 hours ago•CVE-2026-48597
8.2

CVE-2026-48597: Denial of Service via Atom Table Exhaustion in Elixir Tesla Client (Mint Adapter)

CVE-2026-48597 is a high-severity Denial of Service (DoS) vulnerability in the Elixir HTTP client library Tesla (specifically involving the Mint adapter) that allows an unauthenticated remote attacker to cause an unrecoverable crash of the Erlang Virtual Machine (BEAM). The flaw arises from the dynamic conversion of untrusted URL schemes into Erlang atoms without validation, leading to global atom table exhaustion.

Alon Barad
Alon Barad
3 views•8 min read