VDB
DEBIAN-CVE-2025-66034
DEBIAN-CVE-2025-66034
PUBLISHED
CVSS 9.800000190734863 CRITICAL
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:13 | fonttools | 4.57.0-1, 0, 4.57.0-1 |
| Debian:12 | fonttools | 4.55.0-2, 4.55.0-3, 4.55.3-1+hurd.1 |
| Debian:14 | fonttools | 4.57.0-1, 4.57.0-3, 4.57.0-2 |
| Debian:11 | fonttools | 4.23.1-1, 4.24.4-1, 4.26.2-1 |
Exploit Intelligence
- Liquid1998/Variatype.htb-CVE-2025-66034 (github-poc-repo)
- Proof-of-concept exploit for CVE-2025-66034 in the fontTools variable font generation pipeline. A crafted .designspace file allows control of the output path, enabling arbitrary file writes. The script automates payload creation, font generation, and upload to demonstrate the issue. (github-poc-repo)
- v3cn4x00/POC-CVE-2025-66034 (github-poc-repo)
- CVE-2025-66034 - fontTools varLib Arbitrary File Write → RCE PoC exploit for an Arbitrary File Write + XML Injection vulnerability in fontTools.varLib. (github-poc-repo)
- CVE-2025-66034 exploit and documentation (github-poc-repo)
- jwsly12/CVE-2025-66034-htb-ctf (github-poc-repo)
- jwsly12/CVE-2025-66034-htb-ctf (github-poc)
- CVE-2025-66034 - fontTools varLib Arbitrary File Write → RCE PoC exploit for an Arbitrary File Write + XML Injection vulnerability in fontTools.varLib. (github-poc)
- v3cn4x00/POC-CVE-2025-66034 (github-poc)
- CVE-2025-66034 exploit and documentation (github-poc)
…and 3 more exploits
Timeline
- Nov 29, 2025 CVE Published
- May 16, 2026 CVE Updated