AI description
CVE-2025-66034 affects fontTools, a Python library for manipulating fonts. Specifically, versions 4.33.0 to before 4.60.2 contain an arbitrary file write vulnerability within the `fontTools.varLib` script. This vulnerability can be triggered when processing a malicious `.designspace` file. The vulnerability lies in the `main()` code path of `fontTools.varLib`, which is used by the `fonttools varLib` CLI and any code that invokes `fontTools.varLib.main()`. Successful exploitation could allow a malicious user to write arbitrary files on the file system, potentially leading to remote code execution. The issue has been addressed in version 4.60.2.
- Description
- fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- fonttools
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-91
- Hype score
- Not currently trending
csirt_it: โผ Disponibile #PoC per lo sfruttamento della CVE-2025-66034, presente nella nota libreria #fontTools Rischio: ๐ Tipologia: ๐ธ Arbitrary Code Execution ๐ธ Remote Code Execution ๐ธ Privilege Escalation ๐ https://t.co/g9qXL2LqG1 โ Importante mantenere a
@Vulcanux_
29 Nov 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
โผ Disponibile #PoC per lo sfruttamento della CVE-2025-66034, presente nella nota libreria #fontTools Rischio: ๐ Tipologia: ๐ธ Arbitrary Code Execution ๐ธ Remote Code Execution ๐ธ Privilege Escalation ๐ https://t.co/ricQMbS0Fo โ Importante mantenere aggiornati
@csirt_it
29 Nov 2025
242 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-66034 fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) scriโฆ https://t.co/Au1nLEhnlM
@CVEnew
29 Nov 2025
350 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-66034 Arbitrary File Write Vulnerability in fontTools varLib Leading to Remote Code Execution https://t.co/IOTI7aWCHn
@VulmonFeeds
29 Nov 2025
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fonttools:fonttools:*:*:*:*:*:python:*:*",
"vulnerable": true,
"matchCriteriaId": "76CBDF6D-E062-4632-8E9B-027EC11860C7",
"versionEndExcluding": "4.60.2",
"versionStartIncluding": "4.33.0"
}
],
"operator": "OR"
}
]
}
]