CVE-2023-45139

Name of the Vulnerable Software and Affected Versions fontTools versions 4.28.2 through 4.42.1

Description The subsetting module in fontTools has a XML External Entity Injection (XXE) vulnerability, allowing an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts) containing a SVG table is parsed. This enables attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system.

Recommendations For fontTools versions 4.28.2 through 4.42.1, update to version 4.43.0 to patch the vulnerability. As a temporary workaround, consider setting the resolve entities=False flag on parsing methods to mitigate the issue. Restrict access to untrusted OT-SVG fonts to minimize the risk of exploitation. Consider disallowing doctype declarations and implementing recursive regex matching as additional mitigation measures.