CVE-2025-66034
BaseFortify
Publication date: 2025-11-29
Last updated on: 2025-12-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fonttools | fonttools | From 4.33.0 (inc) to 4.60.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-91 | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the fontTools library, specifically in the varLib script used for manipulating fonts. Versions from 4.33.0 up to but not including 4.60.2 have an arbitrary file write vulnerability in the main() code path of fontTools.varLib. When a malicious .designspace file is processed, this vulnerability can lead to remote code execution.
How can this vulnerability impact me? :
If you use the affected versions of fontTools varLib and process untrusted .designspace files, an attacker could exploit this vulnerability to write arbitrary files and execute remote code on your system. This could compromise the security and integrity of your environment.
What immediate steps should I take to mitigate this vulnerability?
Upgrade fontTools to version 4.60.2 or later, as this version contains the patch that fixes the arbitrary file write vulnerability in fontTools.varLib.