Home > Vulnerability Database > CVE-2025-66034

Mend.io Vulnerability Database

CVE-2025-66034

Good to know:

Date: November 28, 2025

fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.

Severity Score

6.3

Related Resources (5)

Url: https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32

Url: https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv

Url: https://github.com/fonttools/fonttools

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-66034

Url: https://www.mend.io/vulnerability-database/CVE-2025-66034

Severity Score

6.3

Weakness Type (CWE)

XML Injection (aka Blind XPath Injection)

CWE-91

Top Fix

Upgrade Version

Upgrade to version fonttools - 4.60.2;fonttools - 4.60.2;https://github.com/fonttools/fonttools.git - 4.60.2

Learn More

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-66034

Good to know:

Date: November 28, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?