CVE-2025-66034
published 2025-11-29CVE-2025-66034: fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.50%
38.8th percentile
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | fonttools | < fonttools 4.61.1-1 (forky) | fonttools 4.61.1-1 (forky) |
| fonttools | fonttools | — | — |
| fonttools | fonttools | >= 0 < 4.57.0-1+deb13u1 | 4.57.0-1+deb13u1 |
| fonttools | fonttools | >= 0 < 4.61.1-1 | 4.61.1-1 |
| fonttools | fonttools | >= 0 < 4.55.3-2ubuntu0.25.10.1 | 4.55.3-2ubuntu0.25.10.1 |
| fonttools | fonttools | >= 0 < 4.29.1-2ubuntu0.1~esm1 | 4.29.1-2ubuntu0.1~esm1 |
| fonttools | fonttools | >= 0 < 4.46.0-1ubuntu0.1~esm1 | 4.46.0-1ubuntu0.1~esm1 |
| fonttools | fonttools | >= 4.33.0 < 4.60.2 | 4.60.2 |
| fonttools | fonttools | >= 4.33.0 < 4.60.2 | 4.60.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for path traversal patterns in .designspace file processing — filenames are not sanitized, enabling directory traversal to overwrite arbitrary filesystem locations ↗
- →Inspect XML labelname elements in .designspace files for injected payloads — malicious content can be embedded and injected directly into generated output ↗
- →Alert on invocations of fontTools.varLib.main() or the varLib CLI (fonttools varLib / python3 -m fontTools.varLib) processing externally supplied .designspace files ↗
- →Watch for unexpected file writes to executable or web-served directories originating from fonttools varLib processes, which may indicate successful exploitation ↗
- ·High attack complexity: exploitation depends on crafted designspace structures, controlled font sources, and specific invocation of varLib or varLib.main() ↗
- ·Ubuntu advisory notes CVE-2025-66034 only affects Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10 — Ubuntu 22.04 LTS is not affected by this specific CVE ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_ubuntu7.5HIGH
vendor_debian6.3MEDIUM
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
fontTools vulnerabilities
vendor_ubuntu·2025-12-09·CVSS 7.5
CVE-2025-66034 [HIGH] fontTools vulnerabilities
Title: fontTools vulnerabilities
Summary: Several security issues were fixed in fontTools.
It was discovered that the subsetting module of fontTools was vulnerable to
an XML External Entity (XEE) attack. An unauthenticated remote attacker
could possibly use this issue to include arbitrary files from the file
system or make web requests from the host system. This issue only affected
Ubuntu 22.04 LTS. (CVE-2023-45139)
It was discovered that fontTools was vulnerable to path traversal attacks.
If a user or automated system were tricked into extracting a specially
crafted .designspace file, an attacker could possibly use this issue to
write arbitrary files outside the target directory, resulting in remote
code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04
and Ubuntu 25.1
Red Hat
fonttools: fontTools: Arbitrary file write leading to remote code execution via malicious .designspace file
vendor_redhat·2025-11-29·CVSS 6.3
CVE-2025-66034 [MEDIUM] CWE-91 fonttools: fontTools: Arbitrary file write leading to remote code execution via malicious .designspace file
fonttools: fontTools: Arbitrary file write leading to remote code execution via malicious .designspace file
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
This vulnerability in fontTools varLib allows a crafted .designspace file to trigger arbitrary file writes and XML-based content injection during variable-font generation. Because filenames are n
Debian
CVE-2025-66034: fonttools - fontTools is a library for manipulating fonts, written in Python. In versions fr...
vendor_debian·2025·CVSS 6.3
CVE-2025-66034 [MEDIUM] CVE-2025-66034: fonttools - fontTools is a library for manipulating fonts, written in Python. In versions fr...
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 4.61.1-1)
sid: resolved (fixed in 4.61.1-1)
trixie: resolved (fixed in 4.57.0-1+deb13u1)
OSV
fonttools vulnerabilities
osv·2025-12-09·CVSS 7.5
CVE-2023-45139 [HIGH] fonttools vulnerabilities
fonttools vulnerabilities
It was discovered that the subsetting module of fontTools was vulnerable to
an XML External Entity (XEE) attack. An unauthenticated remote attacker
could possibly use this issue to include arbitrary files from the file
system or make web requests from the host system. This issue only affected
Ubuntu 22.04 LTS. (CVE-2023-45139)
It was discovered that fontTools was vulnerable to path traversal attacks.
If a user or automated system were tricked into extracting a specially
crafted .designspace file, an attacker could possibly use this issue to
write arbitrary files outside the target directory, resulting in remote
code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04
and Ubuntu 25.10. (CVE-2025-66034)
OSV
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
osv·2025-12-01
CVE-2025-66034 [MEDIUM] fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
## Summary
The `fonttools varLib` (or `python3 -m fontTools.varLib`) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the `main()` code path of `fontTools.varLib`, used by the fonttools varLib CLI and any code that invokes `fontTools.varLib.main()`.
The vulnerability exists due to unsanitised filename handling combined with content injection. Attackers can write files to arbitrary filesystem locations via path traversal sequences, and inject malicious code (like PHP) into the output files through XML injection in labelname elements. When these files are placed in web-accessible locations and e
GHSA
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
ghsa·2025-12-01
CVE-2025-66034 [MEDIUM] CWE-91 fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
## Summary
The `fonttools varLib` (or `python3 -m fontTools.varLib`) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the `main()` code path of `fontTools.varLib`, used by the fonttools varLib CLI and any code that invokes `fontTools.varLib.main()`.
The vulnerability exists due to unsanitised filename handling combined with content injection. Attackers can write files to arbitrary filesystem locations via path traversal sequences, and inject malicious code (like PHP) into the output files through XML injection in labelname elements. When these files are placed in web-accessible locations and e
OSV
CVE-2025-66034: fontTools is a library for manipulating fonts, written in Python
osv·2025-11-29·CVSS 9.8
CVE-2025-66034 [CRITICAL] CVE-2025-66034: fontTools is a library for manipulating fonts, written in Python
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-29
Published