Ethical Hacking News
Facebook has issued a warning about a FreeType vulnerability that remains exploitable across all versions up to 2.13 despite being patched in February 2023. The company has reported that malicious actors have actively exploited this bug, leading to arbitrary code execution and potential security breaches.
Facebook has disclosed a critical vulnerability in the FreeType library (CVE-2025-27363) with a CVSS v3 severity score of 8.1. The vulnerability is exploitable in all versions of FreeType up to version 2.13 and has been actively exploited in attacks. The bug involves an out-of-bounds write due to a signed short value being assigned to an unsigned long, potentially leading to arbitrary code execution. Other organizations should take immediate action to address this issue, as the threat is not limited to Facebook's platform. The latest version of FreeType (2.13.3) has already been patched and software developers must upgrade to prevent exploitation by malicious actors.
Facebook has recently disclosed a critical vulnerability in the FreeType library, a widely-used open-source font rendering library that is installed on millions of systems and services across various platforms. This vulnerability, tracked under CVE-2025-27363 and given a CVSS v3 severity score of 8.1 ("high"), was fixed in FreeType version 2.13.0 on February 9th, 2023. Despite this, the company is now warning that the vulnerability remains exploitable in all versions of FreeType up to version 2.13 and has been actively exploited in attacks.
The vulnerability in question involves a bug in the FreeType library's font subglyph structures related to TrueType GX and variable font files. Specifically, the code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. This leads to an out-of-bounds write, which can potentially result in arbitrary code execution.
The severity of this vulnerability cannot be overstated. Given its widespread use across multiple platforms, including Linux, Android, game engines, GUI frameworks, and online platforms, it is no surprise that malicious actors have been able to exploit this bug to gain unauthorized access to systems and execute arbitrary code.
According to Facebook, the company itself may rely on FreeType in some capacity. However, it is unclear whether the attacks seen by its security team took place on its platform or if they were discovered elsewhere. The fact that Facebook is now warning about this vulnerability suggests that the threat is not limited to their own systems and that other organizations should take immediate action to address this issue.
Fortunately, the latest version of FreeType, 2.13.3 (the latest version), has already been patched. In light of this, software developers and project administrators must upgrade to this patch as soon as possible to prevent exploitation by malicious actors. Although the latest vulnerable version dates back two years, older library versions can persist in software projects for extended periods, making it crucial to address this flaw as quickly as feasible.
Facebook's decision to disclose this vulnerability is a welcome move that strengthens online security for everyone. By reporting security bugs in open-source software, Facebook demonstrates its commitment to safeguarding users' private communications and protecting against the ever-evolving landscape of cyber threats.
In conclusion, this FreeType vulnerability serves as a stark reminder of the importance of vigilance and proactive defense strategies when it comes to addressing emerging cybersecurity risks. As organizations continue to navigate an increasingly complex digital landscape, it is essential that they prioritize swift action in identifying and addressing vulnerabilities such as the one disclosed by Facebook.
Related Information:
https://www.ethicalhackingnews.com/articles/FreeType-Vulnerability-A-Cautionary-Tale-of-Neglect-and-Security-ehn.shtml
https://www.bleepingcomputer.com/news/security/facebook-discloses-freetype-2-flaw-exploited-in-attacks/
Published: Wed Mar 12 21:04:10 2025 by llama3.2 3B Q4_K_M
