fonttools XML External Entity Injection (XXE) Vulnerability
Description
fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
fontTools subsetting module has an XML External Entity Injection (XXE) vulnerability in OT-SVG font parsing, allowing arbitrary file reads and SSRF, patched in version 4.43.0.
Vulnerability
Overview
The fontTools library, a Python-based tool for manipulating font files, contains an XML External Entity (XXE) injection vulnerability in its subsetting module. The vulnerability arises when parsing candidate fonts that include an SVG table (OT-SVG fonts); the XML parser is configured to resolve external entities by default. This allows an attacker who can supply a crafted font file to trigger arbitrary entity resolution during subsetting [1][4].
Exploitation
Exploitation requires the attacker to provide a malicious OT-SVG font containing an SVG table with an external entity definition. For example, an SVG snippet can define an entity that reads a local file (e.g., /etc/passwd) or makes a network request. When the fontTools subsetting module processes this font, the XXE vulnerability causes the XML parser to resolve the entity, effectively leaking file contents or enabling server-side request forgery (SSRF) from the host system [4]. No authentication is needed if the attacker can supply the font file to a service that uses fontTools' subsetting functionality.
Impact
Successful exploitation allows an attacker to read arbitrary files from the filesystem where fontTools is running, such as configuration files or sensitive data. Additionally, the attacker can make arbitrary web requests from the host system, potentially accessing internal services or exfiltrating data. The impact is limited by the privileges of the fontTools process but can be severe in server-side contexts where font files are processed automatically [2][4].
Mitigation
The vulnerability has been patched in fontTools version 4.43.0. The fix involves parsing OT-SVG fonts with resolve_entities=False, which disables external entity resolution in the XML parser [3]. Users should upgrade to version 4.43.0 or later. There is no workaround other than avoiding the processing of untrusted OT-SVG fonts with older versions. The CVE is also listed in the OpenWall oss-security mailing list as a publicly disclosed issue [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
fonttoolsPyPI | >= 4.28.2, < 4.43.0 | 4.43.0 |
Affected products
1- Range: >= 4.28.2, < 4.43.0
Patches
19f61271dc1casubset: parse OT-SVG with resolve_entities=False
1 file changed · +3 −0
Lib/fontTools/subset/svg.py+3 −0 modified@@ -225,6 +225,9 @@ def subset_glyphs(self, s) -> bool: # ignore blank text as it's not meaningful in OT-SVG; it also prevents # dangling tail text after removing an element when pretty_print=True remove_blank_text=True, + # don't replace entities; we don't expect any in OT-SVG and they may + # aboused for XXE attacks + resolve_entities=False, ), )
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-6673-4983-2vx5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-45139ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/03/08/2ghsaWEB
- www.openwall.com/lists/oss-security/2024/03/09/1ghsaWEB
- github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4cghsax_refsource_MISCWEB
- github.com/fonttools/fonttools/releases/tag/4.43.0ghsax_refsource_MISCWEB
- github.com/fonttools/fonttools/security/advisories/GHSA-6673-4983-2vx5ghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VY63B4SGY4QOQGUXMECRGD6K3YT3GJ75/mitre
News mentions
0No linked articles in our index yet.