PT-2024-1853 · Fontforge+10 · Fontforge+10

Pkvanca

Published

2024-02-26

Updated

2025-11-11

CVE-2024-25082

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions FontForge versions through 20230101

Description The issue allows command injection via crafted archives or compressed files. This is due to the lack of measures to neutralize special elements, which can enable an attacker to execute arbitrary commands.

Recommendations For versions through 20230101, consider disabling the handling of crafted archives or compressed files as a temporary workaround until a patch is available. Restrict access to the Splinefont feature in FontForge to minimize the risk of exploitation. Avoid using the software with untrusted input until the issue is resolved.

Fix

Command Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-78

Related Identifiers

ALSA-2024:4267

ALSA-2024:9439

ALT-PU-2025-13668

ALT-PU-2025-14182

BDU:2024-01608

CESA-2024_4267

CVE-2024-25082

DLA-3754-1

DSA-5641-1

INFSA-2024_4267

INFSA-2024_9439

MGASA-2024-0082

OESA-2024-1228

RHSA-2024:4267

RHSA-2024:9439

RHSA-2024_4267

RHSA-2024_9439

RHSA-2026:2566

RLSA-2024:9439

SUSE-SU-2024:0863-1

SUSE-SU-2024:0864-1

USN-6856-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Fontforge

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2024-1853 · Fontforge+10 · Fontforge+10

CVE-2024-25082

Weakness Enumeration

Related Identifiers

Affected Products

References · 66