Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks.
FreeType is a popular open-source font rendering library used to display text and programmatically add text to images. It provides functionality to load, rasterize, and render fonts in various formats, such as TrueType (TTF), OpenType (OTF), and others.
The library is installed in millions of systems and services, including Linux, Android, game engines, GUI frameworks, and online platforms.
The vulnerability, tracked under CVE-2025-27363 and given a CVSS v3 severity score of 8.1 (“high”), was fixed in FreeType version 2.13.0 on February 9th, 2023.
Facebook disclosed the flaw yesterday, warning that the vulnerability is exploitable in all versions of FreeType up to version 2.13 and that there are reports of it actively being exploited in attacks.
“An out of bounds write exists in FreeType versions 2.13.0 and below when attempting to parse font subglyph structures related to TrueType GX and variable font files,” reads the bulletin.
“The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer.”
“The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution.”
Facebook may rely on FreeType in some capacity, but it is unclear if the attacks seen by its security team took place on its platform or if they discovered them elsewhere.
Considering the widespread use of FreeType across multiple platforms, software developers and project administrators must upgrade to FreeType 2.13.3 (latest version) as soon as possible.
Although the latest vulnerable version (2.13.0) dates two years, older library versions can persist in software projects for extended periods, making it important to address the flaw as soon as possible.
BleepingComputer asked Meta about the flaw and how it was exploited, and was sent the following statement.
“We report security bugs in open source software when we find them because it strengthens online security for everyone,” Facebook told BleepingComputer.
“We think users expect us to keep working on ways to improve security. We remain vigilant and committed to protecting people’s private communications.”
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
