CVE-2025-66034

MEDIUM

fonttools 4.33.0-4.60.1 - Remote Code Execution via Malicious .designspace File Processing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2025-66034. PoCs published by v3cn4x00, V0idW1re, jwsly12.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-66034, leveraging path traversal and XML injection in fontTools varLib to achieve remote code execution via a crafted .designspace file.

Description

fontTools is a library for manipulating fonts, written in Python. In versions from 4.33.0 to before 4.60.2, the fonttools varLib (or python3 -m fontTools.varLib) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main() code path of fontTools.varLib, used by the fonttools varLib CLI and any code that invokes fontTools.varLib.main(). This issue has been patched in version 4.60.2.

Exploits (7)

nomisec WORKING POC 2 stars
by v3cn4x00 · poc
https://github.com/v3cn4x00/POC-CVE-2025-66034

This repository contains a functional exploit for CVE-2025-66034, leveraging path traversal and XML injection in fontTools varLib to achieve remote code execution via a crafted .designspace file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: fontTools varLib (versions >= 4.33.0, < 4.60.2)
No auth needed
Prerequisites: Python 3.9+ · fonttools and requests libraries · target application accepting .designspace file uploads
devstral-2 · analyzed Mar 22, 2026 Full analysis →
nomisec WRITEUP
by V0idW1re · poc
https://github.com/V0idW1re/HTB-VariaType-Writeup

This is a detailed technical writeup of a penetration test on HackTheBox's VariaType machine, covering multiple CVEs including CVE-2025-66034, with in-depth analysis of exploitation steps, root cause, and remediation.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: fontTools library (version not specified)
No auth needed
Prerequisites: Access to the target web application · Ability to upload malicious files
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by jwsly12 · poc
https://github.com/jwsly12/CVE-2025-66034-htb-ctf

This repository contains a functional exploit for CVE-2025-66034, targeting a vulnerability in the VariaType font generation process. The exploit crafts a malicious .designspace XML file with a PHP reverse shell payload embedded in the metadata, achieving RCE when processed by the server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VariaType Variable Font Generator (fontTools library)
No auth needed
Prerequisites: Python 3 · fontTools library · requests library · access to the target server's upload endpoint
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by 4nuxd · poc
https://github.com/4nuxd/CVE-2025-66034

This repository contains a functional exploit for CVE-2025-66034, leveraging an arbitrary file write vulnerability in `fontTools.varLib` via XML injection and path traversal to achieve unauthenticated remote code execution. The exploit crafts a malicious `.designspace` file with a PHP webshell payload and an absolute path to bypass intended output directory restrictions.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: fontTools.varLib (specific version not specified)
No auth needed
Prerequisites: Access to a vulnerable font processing endpoint · Ability to send HTTP POST requests to the target
devstral-2 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by d0x-awrqxavc · poc
https://github.com/d0x-awrqxavc/CVE-2025-66034

This repository contains a functional exploit for CVE-2025-66034, a path traversal vulnerability in VariaType HTB. The exploit leverages a variable font generator to upload malicious TTF files, achieving remote code execution via a webshell or reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: VariaType HTB (variable font generator tool)
No auth needed
Prerequisites: Network access to the target · Python environment with required dependencies (requests, fontTools)
devstral-2 · analyzed Mar 21, 2026 Full analysis →
nomisec WORKING POC
by tristanqtn · poc
https://github.com/tristanqtn/CVE-2025-66034

This repository contains a functional exploit for CVE-2025-66034, which leverages an arbitrary file write vulnerability in fontTools' varLib module. The exploit crafts a malicious .designspace file with path traversal and PHP injection to achieve remote code execution via a webshell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: fontTools (varLib module)
No auth needed
Prerequisites: Access to a fontTools-backed web endpoint · Ability to submit a .designspace file
devstral-2 · analyzed Mar 22, 2026 Full analysis →
nomisec WORKING POC
by Liquid1998 · poc
https://github.com/Liquid1998/Variatype.htb-CVE-2025-66034

This exploit leverages a file upload vulnerability in the variable-font-generator tool to write a PHP webshell to a predictable location, then executes arbitrary commands via HTTP requests. The payload is embedded in an XML designspace file with a malicious labelname CDATA section.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Variatype.htb variable-font-generator (unknown version)
No auth needed
Prerequisites: Network access to the target · Python 3 with requests and BeautifulSoup
devstral-2 · analyzed Mar 17, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.3
EPSS 0.0008
EPSS Percentile 24.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-91
Status published
Products (2)
fonttools/fonttools 4.33.0 - 4.60.2
pypi/fonttools 4.33.0 - 4.60.2PyPI
Published Nov 29, 2025
Tracked Since Feb 18, 2026