Detections
Analytics

Ubuntu 22.04 LTS / 24.04 LTS / 25.04 / 25.10 : fontTools vulnerabilities (USN-7917-1)

critical Nessus Plugin ID 278076

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.04 / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7917-1 advisory.

 It was discovered that the subsetting module of fontTools was vulnerable to an XML External Entity (XEE) attack. An unauthenticated remote attacker could possibly use this issue to include arbitrary files from the file system or make web requests from the host system. This issue only

 affected Ubuntu 22.04 LTS. (CVE-2023-45139)

 It was discovered that fontTools was vulnerable to path traversal attacks. If a user or automated system were tricked into extracting a specially crafted .designspace file, an attacker could possibly use this issue to write arbitrary files outside the target directory, resulting in remote code execution. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.04 and Ubuntu 25.10. (CVE-2025-66034)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected fonttools and / or python3-fonttools packages.

See Also

https://ubuntu.com/security/notices/USN-7917-1

Plugin Details

Severity: Critical

ID: 278076

File Name: ubuntu_USN-7917-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/10/2025

Updated: 12/10/2025

Supported Sensors: Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-66034

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:canonical:ubuntu_linux:25.04, cpe:/o:canonical:ubuntu_linux:25.10, cpe:/o:canonical:ubuntu_linux:24.04:-:lts, p-cpe:/a:canonical:ubuntu_linux:fonttools, cpe:/o:canonical:ubuntu_linux:22.04:-:lts, p-cpe:/a:canonical:ubuntu_linux:python3-fonttools

Required KB Items: Host/cpu, Host/Debian/dpkg-l, Host/Ubuntu, Host/Ubuntu/release

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/9/2025

Vulnerability Publication Date: 1/9/2024

Reference Information

CVE: CVE-2023-45139, CVE-2025-66034

USN: 7917-1