CVE-2025-66034
Published: 29 November 2025
Summary
CVE-2025-66034 is a medium-severity aka Blind XPath Injection (CWE-91) vulnerability in Fonttools Fonttools. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-66034 by requiring timely patching of the fontTools library to version 4.60.2 or later.
Identifies vulnerable fontTools installations through vulnerability scanning, enabling remediation before exploitation via malicious .designspace files.
Restricts execution of unapproved or vulnerable software like affected fontTools versions through whitelisting and usage policies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write vulnerability in fontTools varLib, triggered by processing malicious .designspace files via CLI, enables remote code execution consistent with Exploitation for Client Execution (T1203).
NVD Description
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious…
more
.designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
Deeper analysisAI
CVE-2025-66034 is an arbitrary file write vulnerability in the fontTools Python library for manipulating fonts, affecting versions 4.33.0 through 4.60.1. The issue resides in the fonttools varLib script (invoked via python3 -m fontTools.varLib or fontTools.varLib.main()), which processes .designspace files. A malicious .designspace file can trigger the vulnerability in the main() code path, enabling arbitrary file writes that lead to remote code execution.
The vulnerability has a CVSS v3.1 base score of 6.3 (AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L) and is associated with CWE-91 (XML Injection). Exploitation requires local access and high attack complexity, with no privileges needed but user interaction required, such as tricking a user into running the varLib CLI on a crafted .designspace file. Successful exploitation allows an attacker to achieve remote code execution through arbitrary file writes, with high integrity impact, low availability impact, and changed scope.
The vulnerability has been patched in fontTools version 4.60.2. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory (GHSA-768j-98cg-p3fv) and the patching commit (a696d5ba93270d5954f98e7cab5ddca8a02c1e32).
Details
- CWE(s)