CVE-2025-66034CRITICAL 9.8EPSS p38.0%

CVE-2025-66034CVE-2025-66034

Description

fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.0% · 2026-06-19T12:03:05Z
Published2025-11-29
Last modified2025-12-03

Underlying weaknesses· 1

CWE-91

References

  1. https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32
  2. https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
  3. https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv

1

TypeTargetConfidenceTier
WeaknessXML Injection (aka Blind XPath Injection)cwe-910%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-15270
CVE
CVE-2025-15274
CVE
CVE-2025-15271
CVE
CVE-2025-15275
CVE
CVE-2025-15269
CVE
CVE-2025-15280
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.