Facebook has issued a warning regarding a critical vulnerability in the FreeType library, affecting all versions up to 2.13 and potentially leading to arbitrary code execution. Reports indicate that this vulnerability is already being actively exploited in real-world attacks.
FreeType is a widely used open-source library designed for font rendering. It is integrated into various systems and services, including Linux, Android, game engines, graphical interfaces, and web platforms. The library supports multiple font formats, such as TrueType (TTF), OpenType (OTF), and others.
Tracked as CVE-2025-27363, the vulnerability has been assigned a high severity score of 8.1 on the CVSS v3 scale. It was patched in FreeType version 2.13.0, released on February 9, 2023. However, Facebook disclosed the issue only yesterday, emphasizing that all FreeType versions prior to 2.13 remain vulnerable and are actively being exploited by threat actors.
According to the security bulletin, the flaw stems from an out-of-bounds buffer access when processing subglyph structures in TrueType GX and variable fonts. The bug arises due to the assignment of a signed short value to an unsigned long, leading to the allocation of an inadequately small buffer and, consequently, a heap overflow. As a result, an attacker could write up to six long signed integers beyond the allocated buffer, potentially enabling arbitrary code execution.
Facebook has not specified whether this vulnerability was exploited against its own services or discovered elsewhere. However, given FreeType’s widespread adoption, software developers and project administrators are strongly urged to update the library to version 2.13.3 without delay.
