CVE-2025-66034

This repository contains a functional exploit for CVE-2025-66034, leveraging path traversal and XML injection in fontTools varLib to achieve remote code execution via a crafted .designspace file.

This is a detailed technical writeup of a penetration test on HackTheBox's VariaType machine, covering multiple CVEs including CVE-2025-66034, with in-depth analysis of exploitation steps, root cause, and remediation.

This repository contains a functional exploit for CVE-2025-66034, targeting a vulnerability in the VariaType font generation process. The exploit crafts a malicious .designspace XML file with a PHP reverse shell payload embedded in the metadata, achieving RCE when processed by the server.

This repository contains a functional exploit for CVE-2025-66034, leveraging an arbitrary file write vulnerability in `fontTools.varLib` via XML injection and path traversal to achieve unauthenticated remote code execution. The exploit crafts a malicious `.designspace` file with a PHP webshell payload and an absolute path to bypass intended output directory restrictions.

This repository contains a functional exploit for CVE-2025-66034, a path traversal vulnerability in VariaType HTB. The exploit leverages a variable font generator to upload malicious TTF files, achieving remote code execution via a webshell or reverse shell.

This repository contains a functional exploit for CVE-2025-66034, which leverages an arbitrary file write vulnerability in fontTools' varLib module. The exploit crafts a malicious .designspace file with path traversal and PHP injection to achieve remote code execution via a webshell.

This exploit leverages a file upload vulnerability in the variable-font-generator tool to write a PHP webshell to a predictable location, then executes arbitrary commands via HTTP requests. The payload is embedded in an XML designspace file with a malicious labelname CDATA section.