Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks. Facebook disclosed the flaw yesterday, warning that the vulnerability is exploitable in all versions of FreeType up to version 2.13 and that there are reports of it actively being exploited in attacks. Although the latest vulnerable version (2.13.0) dates two years, older library versions can persist in software projects for extended periods, making it important to address the flaw as soon as possible. "An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files," reads the bulletin. Facebook may rely on FreeType in some capacity, but it is unclear if the attacks seen by its security team took place on its platform or if they discovered them elsewhere. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Considering the widespread use of FreeType across multiple platforms, software developers and project administrators must upgrade to FreeType 2.13.3 (latest version) as soon as possible. FreeType is a popular open-source font rendering library used to display text and programmatically add text to images. The vulnerability, tracked under CVE-2025-27363 and given a CVSS v3 severity score of 8.1 ("high"), was fixed in FreeType version 2.13.0 on February 9th, 2023. "We report security bugs in open source software when we find them because it strengthens online security for everyone," Facebook told BleepingComputer.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 12 Mar 2025 21:05:17 +0000