Out-of-bounds Write Affecting freetype package, versions [,2.13.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-UNMANAGED-FREETYPE-9459052
- published16 Mar 2025
- disclosed15 Mar 2025
Introduced: 15 Mar 2025
NewCVE-2025-27363 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade freetype to version 2.13.0 or higher.
Overview
Affected versions of this package are vulnerable to Out-of-bounds Write when attempting to parse font subglyph structures related to TrueType GX and variable font files, an out of bounds write occurs. This issue arises from assigning a signed short value to an unsigned long and then adding a static value, causing it to wrap around and allocate a heap buffer that is too small. Consequently, up to 6 signed long integers are written out of bounds relative to this buffer, potentially leading to arbitrary code execution.