CVE-2025-66034 – This vulnerability in fontTools allows arbitrar... (How to Fix)

📋 TL;DR

This vulnerability in fontTools allows arbitrary file write leading to remote code execution when processing malicious .designspace files. It affects users who run the fonttools varLib CLI or invoke fontTools.varLib.main() directly. The issue impacts fontTools versions 4.33.0 through 4.60.1.

💻 Affected Systems

Products:

fontTools

Versions: 4.33.0 to 4.60.1

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the main() code path of fontTools.varLib, affecting both CLI usage and programmatic invocation.

📦 What is this software?

Fonttools by Fonttools

View all CVEs affecting Fonttools →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining remote code execution, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or file system manipulation by authenticated users who can supply malicious .designspace files to font processing systems.

🟢

If Mitigated

Limited impact with proper input validation and file processing restrictions in place, potentially only affecting isolated font processing environments.

🌐 Internet-Facing: MEDIUM - Risk exists if font processing services are exposed to untrusted users, but requires specific .designspace file upload and processing.

🏢 Internal Only: MEDIUM - Internal users with access to font processing systems could exploit this for privilege escalation or lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to supply malicious .designspace file to vulnerable fontTools installation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.60.2

Vendor Advisory: https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv

Restart Required: No

Instructions:

1. Check current fontTools version: pip show fonttools
2. Upgrade to patched version: pip install --upgrade fonttools==4.60.2
3. Verify installation: pip show fonttools | grep Version

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation of .designspace files before processing with fontTools

Sandbox Execution

linux

Run fontTools in isolated containers or sandboxes with restricted filesystem access

docker run --read-only -v /tmp:/tmp:ro python fonttools_command

🧯 If You Can't Patch

Restrict access to font processing functionality to trusted users only
Implement network segmentation to isolate font processing systems from critical infrastructure

🔍 How to Verify

Check if Vulnerable:

Check fontTools version: python -c "import fontTools; print(fontTools.__version__)" and verify if between 4.33.0 and 4.60.1

Check Version:

python -c "import fontTools; print(fontTools.__version__)" or pip show fonttools | grep Version

Verify Fix Applied:

Confirm version is 4.60.2 or higher: python -c "import fontTools; print(fontTools.__version__)"

📡 Detection & Monitoring

Log Indicators:

Unusual font processing activity
Multiple .designspace file processing failures
Unexpected file write operations in fontTools directories

Network Indicators:

Unexpected outbound connections from font processing systems
Large .designspace file uploads to font processing services

SIEM Query:

source="fonttools" AND (event="file_write" OR event="process_execution")

📊 Metadata

CVE ID: CVE-2025-66034

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L

CWE: CWE-91

EPSS Score: 0.26% exploit probability (49.6th percentile)

Published: November 29, 2025

Last Updated: December 3, 2025

🔗 References

https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32 Patch
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv Exploit,Vendor Advisory
https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66034, you might also want to check these: