- Description
- fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- fonttools
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-91
- Hype score
- Not currently trending
Just rooted VariaType on @hackthebox_eu! π© LFI source leak via ....// bypass__RCE via FontTools injection (CVE-2025-66034)__Lateral move via filename command injection__Rooted via setuptools PackageIndex path traversal π https://t.co/bqrqA3lQ3N #HackTheBox #HTB #CyberSecuri
@bundibrianx
15 Mar 2026
153 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
SECURITY ALERT: CVE-2025-66034 Exploit Fix & Mitigation Guide Read more: https://t.co/pudevNRNqq #Cybersecurity #CVE https://t.co/bxke1sokA8
@SecReportCVE
24 Dec 2025
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
URGENT: #Fedora 42 critical RCE vulnerability CVE-2025-66034 in #python-unicodedata2/fonttools. Arbitrary file write via malicious .designspace files leads to full system compromise. Read more: π https://t.co/2cP9hnQMpy #Security https://t.co/TV7wwE7aQX
@Cezar_H_Linux
20 Dec 2025
58 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Technical Security Advisory: CVE-2025-66034 Severity: High. Arbitrary file write leading to Remote Code Execution in fontTools via malicious .designspace file parsing. Read more: π https://t.co/iTtAFf6dOD #Security #Ubuntu https:
@Cezar_H_Linux
20 Dec 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
csirt_it: βΌ Disponibile #PoC per lo sfruttamento della CVE-2025-66034, presente nella nota libreria #fontTools Rischio: π Tipologia: πΈ Arbitrary Code Execution πΈ Remote Code Execution πΈ Privilege Escalation π https://t.co/g9qXL2LqG1 β Importante mantenere a
@Vulcanux_
29 Nov 2025
38 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
βΌ Disponibile #PoC per lo sfruttamento della CVE-2025-66034, presente nella nota libreria #fontTools Rischio: π Tipologia: πΈ Arbitrary Code Execution πΈ Remote Code Execution πΈ Privilege Escalation π https://t.co/ricQMbS0Fo β Importante mantenere aggiornati
@csirt_it
29 Nov 2025
242 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-66034 fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) scri⦠https://t.co/Au1nLEhnlM
@CVEnew
29 Nov 2025
350 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-66034 Arbitrary File Write Vulnerability in fontTools varLib Leading to Remote Code Execution https://t.co/IOTI7aWCHn
@VulmonFeeds
29 Nov 2025
64 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fonttools:fonttools:*:*:*:*:*:python:*:*",
"matchCriteriaId": "76CBDF6D-E062-4632-8E9B-027EC11860C7",
"versionEndExcluding": "4.60.2",
"versionStartIncluding": "4.33.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]