CVE-2025-66034
Publication date 29 November 2025
Last updated 9 December 2025
Ubuntu priority
Description
fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| fonttools | 25.10 questing |
Fixed 4.55.3-2ubuntu0.25.10.1
|
| 25.04 plucky |
Fixed 4.55.3-2ubuntu0.25.04.1
|
|
| 24.04 LTS noble |
Fixed 4.46.0-1ubuntu0.1~esm1
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.3 · Medium
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L |
References
Related Ubuntu Security Notices (USN)
- USN-7917-1
- fontTools vulnerabilities
- 9 December 2025