Acornall

**Name of the Vulnerable Software and Affected Versions** fontTools versions 4.28.2 through 4.42.1 **Description** The subsetting module in fontTools has a XML External Entity Injection (XXE) vulnerability, allowing an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts) containing a SVG table is parsed. This enables attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. **Recommendations** For fontTools versions 4.28.2 through 4.42.1, update to version 4.43.0 to patch the vulnerability. As a temporary workaround, consider setting the `resolve entities=False` flag on parsing methods to mitigate the issue. Restrict access to untrusted OT-SVG fonts to minimize the risk of exploitation. Consider disallowing doctype declarations and implementing recursive regex matching as additional mitigation measures.