Vulnerability Description
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fonttools | Fonttools | >= 4.33.0, < 4.60.2 |
Related Weaknesses (CWE)
References
- https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a0Patch
- https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fvExploitVendor Advisory
- https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fvExploitVendor Advisory
FAQ
What is CVE-2025-66034?
CVE-2025-66034 is a vulnerability with a CVSS score of 6.3 (MEDIUM). fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vul...
How severe is CVE-2025-66034?
CVE-2025-66034 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66034?
Check the references section above for vendor advisories and patch information. Affected products include: Fonttools Fonttools.