Game Over: Unity-CLI Spills Secrets in Verbose Mode

Automation is the lifeblood of modern game development. Nobody wants to manually click 'Build' in the Unity Editor twenty times a day. Enter @rage-against-the-pixel/unity-cli, a nifty TypeScript wrapper that makes headless Unity builds on CI/CD servers bearable.

Like any good CLI tool, it offers a --verbose flag. When things go wrong (and with Unity, they always go wrong), developers instinctively reach for this flag to see what's happening under the hood. It’s a standard debugging reflex.

However, in this specific instance, that reflex was dangerous. The developers behind unity-cli made a classic error: they confused 'debugging context' with 'data dumping'. By trying to be helpful and show the user exactly what arguments were being passed to the system, they inadvertently built a mechanism to broadcast the keys to the kingdom.

The vulnerability (CWE-532) boils down to a single line of code that prioritized convenience over hygiene. The application uses the popular commander library to parse command-line arguments. This library returns an options object containing every flag passed by the user.

The flaw resided in src/cli.ts. When the verbose flag was detected, the application decided to log the entire configuration state. Instead of selectively logging safe parameters (like buildTarget or projectPath), the code blindly passed the entire options object to JSON.stringify().

This is the digital equivalent of emptying your pockets onto the table to find your keys, but also dropping your credit card, social security card, and diary in the process. Because JSON.stringify() is impartial, it serialized everything: email, password, serial, and token included.

Let's look at the diff. It’s rare to see a vulnerability so concise yet so damaging. In the vulnerable versions, the logging logic was brutally simple:

// src/cli.ts (Vulnerable)
program.command('sign-package')
    .action(async (options) => {
        if (options.verbose) {
            Logger.instance.logLevel = LogLevel.DEBUG;
        }
 
        // 💀 THE KILL SHOT: 
        // Direct serialization of the raw options object
        Logger.instance.debug(JSON.stringify(options)); 
        
        // ... logic continues ...
    });

The fix, introduced in commit 8d4d67b23d7c5fd8f00df3f0f10bec2961c95342, implements a sanitization layer. The developers added a scrubSensitiveData method that recursively walks the object and checks keys against a blacklist.

// src/logger.ts (Patched)
private readonly SENSITIVE_KEYS = [
    'password', 'email', 'serial', 'token', 
    'config', 'organization', 'username'
];
 
private scrubSensitiveData(obj: any): any {
    // ... recursion logic ...
    if (this.SENSITIVE_KEYS.includes(key)) {
        newObj[key] = '[REDACTED]';
    }
    // ...
}

They also added maskCredential to hook into CI-specific masking features (like GitHub Actions ::add-mask::), ensuring that even if a value slips through elsewhere, the runner UI might still hide it.

Exploiting this doesn't require a disassembler or a heap spray. It requires a web browser and a scroll wheel. We call this 'Scroll Justacking'.

The Scenario:

1. Target Selection: Find a public GitHub repository or a compromised Jenkins instance that uses unity-cli for building game artifacts.
2. The Trigger: Look for a failed build. Developers often commit a change enabling --verbose to diagnose why a build is failing in CI, or they have it enabled by default in a 'Debug' workflow.
3. The Execution: The CI runner executes:

   unity-cli activate-license --email "admin@studio.com" --password "S3cr3tUnityP@ss" --verbose

4. The Loot: The logs output:

   {"email":"admin@studio.com","password":"S3cr3tUnityP@ss","verbose":true}

Once an attacker has these credentials, they can log into the Unity ID portal, revoke licenses (causing a denial of service for the dev team), or potentially access cloud build artifacts depending on the scope of the account.

If you are using @rage-against-the-pixel/unity-cli, patching is mandatory. The fix was released in version 1.8.2.

Immediate Steps:

1. Update: npm install -g @rage-against-the-pixel/unity-cli@latest.
2. Scrub Logs: Go through your CI/CD history. If you see [REDACTED] in your new logs, great. But your old logs are static text files stored on S3 or GitHub's servers. They still contain the plaintext passwords. You must delete these logs.
3. Rotate Credentials: This is the most important step. If you ever ran this tool with --verbose, assume your Unity password and serial keys are public knowledge. Change them immediately.

For Developers:

This serves as a grim reminder: Never trust the user input object. Always use an explicit allowlist when logging configuration objects. If you must log a 'context' object, pass it through a sanitization function first. And for the love of security, if your tool handles passwords, consider accepting them via environment variables (UNITY_PASSWORD) rather than CLI flags to avoid them showing up in process lists (ps aux) as well.