PT-2024-1850 · Fontforge+10 · Fontforge+10

Pkvanca

·

Published

2024-02-26

·

Updated

2025-11-11

·

CVE-2024-25081

CVSS v3.1

4.2

Medium

VectorAV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions FontForge versions through 20230101
Description The issue exists due to the lack of neutralization of special elements in the software. This can allow an attacker to execute arbitrary commands via crafted filenames. The estimated number of potentially affected devices worldwide is not specified. Details about real-world incidents where this issue was exploited are not provided.
Recommendations For versions through 20230101, consider disabling the ability to process crafted filenames as a temporary workaround until a patch is available. Restrict access to the Splinefont feature in FontForge to minimize the risk of exploitation. Avoid using the Splinefont feature with untrusted input until the issue is resolved.

Fix

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

ALSA-2024:4267
ALSA-2024:9439
ALT-PU-2025-13668
ALT-PU-2025-14182
BDU:2024-01604
CESA-2024_4267
CVE-2024-25081
DLA-3754-1
DSA-5641-1
INFSA-2024_4267
INFSA-2024_9439
MGASA-2024-0082
OESA-2024-1228
OPENSUSE-SU-2024:13755-1
RHSA-2024:4267
RHSA-2024:9439
RHSA-2024_4267
RHSA-2024_9439
RHSA-2026:2566
RLSA-2024:9439
SUSE-SU-2024:0863-1
SUSE-SU-2024:0864-1
SUSE-SU-2024_0863-1
SUSE-SU-2024_0864-1
USN-6856-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Fontforge
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu