Facebook has issued a warning about a vulnerability in the Freetype library that affects all versions up to 2.13 and could potentially allow for the execution of arbitrary code. The company has reported that this vulnerability is currently being exploited in real-world attacks. More information about the vulnerability can be found here.
Freetype is a widely used open source library primarily used for rendering fonts. It is utilized in a variety of systems and services, including Linux, Android, game engines, graphic interfaces, and web platforms. The library supports different font formats such as Truetype (TTF) and OpenType (OTF).
The vulnerability, known as CVE-2025-27363, has been given a high severity rating of 8.1 on the CVSS V3 scale. It was addressed in the Freetype 2.13.0 version released on February 9, 2023. However, Facebook has recently disclosed that the vulnerability exists in all versions of Freetype up to 2.13 and is actively being exploited by malicious actors.
According to reports, the vulnerability stems from a buffer overflow issue related to the processing of structures in Truetype GX and variable fonts. This error occurs when a smaller value is assigned to a larger variable, causing a buffer overflow in the heap. This could potentially allow for the execution of arbitrary code by writing beyond the buffer boundaries.
Facebook has not specified whether this vulnerability has been used in attacks against its own services or other targets. Nevertheless, due to the widespread use of Freetype, software developers and project administrators are strongly advised to update the library to version 2.13.3 immediately to mitigate the risk of exploitation.
It is worth noting that META and its products have been deemed extremist, and their activities are prohibited within the territory of the Russian Federation.