CVE-2025-66034

CVE-2025-66034 is an arbitrary file write vulnerability in the fontTools Python library for manipulating fonts, affecting versions 4.33.0 through 4.60.1. The issue resides in the fonttools varLib script (invoked via python3 -m fontTools.varLib or fontTools.varLib.main()), which processes .designspace files. A malicious .designspace file can trigger the vulnerability in the main() code path, enabling arbitrary file writes that lead to remote code execution.

The vulnerability has a CVSS v3.1 base score of 6.3 (AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L) and is associated with CWE-91 (XML Injection). Exploitation requires local access and high attack complexity, with no privileges needed but user interaction required, such as tricking a user into running the varLib CLI on a crafted .designspace file. Successful exploitation allows an attacker to achieve remote code execution through arbitrary file writes, with high integrity impact, low availability impact, and changed scope.

The vulnerability has been patched in fontTools version 4.60.2. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory (GHSA-768j-98cg-p3fv) and the patching commit (a696d5ba93270d5954f98e7cab5ddca8a02c1e32).