cbcvebase.
CVE-2025-66034
published 2025-11-29

CVE-2025-66034: fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.50%
38.8th percentile
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.

Affected

9 ranges
VendorProductVersion rangeFixed in
debianfonttools< fonttools 4.61.1-1 (forky)fonttools 4.61.1-1 (forky)
fonttoolsfonttools
fonttoolsfonttools>= 0 < 4.57.0-1+deb13u14.57.0-1+deb13u1
fonttoolsfonttools>= 0 < 4.61.1-14.61.1-1
fonttoolsfonttools>= 0 < 4.55.3-2ubuntu0.25.10.14.55.3-2ubuntu0.25.10.1
fonttoolsfonttools>= 0 < 4.29.1-2ubuntu0.1~esm14.29.1-2ubuntu0.1~esm1
fonttoolsfonttools>= 0 < 4.46.0-1ubuntu0.1~esm14.46.0-1ubuntu0.1~esm1
fonttoolsfonttools>= 4.33.0 < 4.60.24.60.2
fonttoolsfonttools>= 4.33.0 < 4.60.24.60.2

Detection & IOCsextracted from sources · hover to see the quote

filename.designspace
commandpython3 -m fontTools.varLib
  • Monitor for path traversal patterns in .designspace file processing — filenames are not sanitized, enabling directory traversal to overwrite arbitrary filesystem locations
  • Inspect XML labelname elements in .designspace files for injected payloads — malicious content can be embedded and injected directly into generated output
  • Alert on invocations of fontTools.varLib.main() or the varLib CLI (fonttools varLib / python3 -m fontTools.varLib) processing externally supplied .designspace files
  • Watch for unexpected file writes to executable or web-served directories originating from fonttools varLib processes, which may indicate successful exploitation
  • ·High attack complexity: exploitation depends on crafted designspace structures, controlled font sources, and specific invocation of varLib or varLib.main()
  • ·Ubuntu advisory notes CVE-2025-66034 only affects Ubuntu 24.04 LTS, Ubuntu 25.04, and Ubuntu 25.10 — Ubuntu 22.04 LTS is not affected by this specific CVE

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_ubuntu7.5HIGH
vendor_debian6.3MEDIUM
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.