AI description
CVE-2025-66034 affects fontTools, a Python library for manipulating fonts. Specifically, versions 4.33.0 to before 4.60.2 contain an arbitrary file write vulnerability within the `fontTools.varLib` script. This vulnerability can be triggered when processing a malicious `.designspace` file. The vulnerability lies in the `main()` code path of `fontTools.varLib`, which is used by the `fonttools varLib` CLI and any code that invokes `fontTools.varLib.main()`. Successful exploitation could allow a malicious user to write arbitrary files on the file system, potentially leading to remote code execution. The issue has been addressed in version 4.60.2.
- Description
- fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- fonttools
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-91
- Hype score
- Not currently trending
SECURITY ALERT: CVE-2025-66034 Exploit Fix & Mitigation Guide Read more: https://t.co/pudevNRNqq #Cybersecurity #CVE https://t.co/bxke1sokA8
@SecReportCVE
24 Dec 2025
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: #Fedora 42 critical RCE vulnerability CVE-2025-66034 in #python-unicodedata2/fonttools. Arbitrary file write via malicious .designspace files leads to full system compromise. Read more: ๐ https://t.co/2cP9hnQMpy #Security https://t.co/TV7wwE7aQX
@Cezar_H_Linux
20 Dec 2025
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Technical Security Advisory: CVE-2025-66034 Severity: High. Arbitrary file write leading to Remote Code Execution in fontTools via malicious .designspace file parsing. Read more: ๐ https://t.co/iTtAFf6dOD #Security #Ubuntu https:
@Cezar_H_Linux
20 Dec 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: โผ Disponibile #PoC per lo sfruttamento della CVE-2025-66034, presente nella nota libreria #fontTools Rischio: ๐ Tipologia: ๐ธ Arbitrary Code Execution ๐ธ Remote Code Execution ๐ธ Privilege Escalation ๐ https://t.co/g9qXL2LqG1 โ Importante mantenere a
@Vulcanux_
29 Nov 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
โผ Disponibile #PoC per lo sfruttamento della CVE-2025-66034, presente nella nota libreria #fontTools Rischio: ๐ Tipologia: ๐ธ Arbitrary Code Execution ๐ธ Remote Code Execution ๐ธ Privilege Escalation ๐ https://t.co/ricQMbS0Fo โ Importante mantenere aggiornati
@csirt_it
29 Nov 2025
242 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-66034 fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) scriโฆ https://t.co/Au1nLEhnlM
@CVEnew
29 Nov 2025
350 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-66034 Arbitrary File Write Vulnerability in fontTools varLib Leading to Remote Code Execution https://t.co/IOTI7aWCHn
@VulmonFeeds
29 Nov 2025
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fonttools:fonttools:*:*:*:*:*:python:*:*",
"vulnerable": true,
"matchCriteriaId": "76CBDF6D-E062-4632-8E9B-027EC11860C7",
"versionEndExcluding": "4.60.2",
"versionStartIncluding": "4.33.0"
}
],
"operator": "OR"
}
]
}
]