CVE-2023-45139: fonttools XML External Entity Injection (XXE) Vulnerability

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-45139

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

fonttools XML External Entity Injection (XXE) Vulnerability

Source: NVD (National Vulnerability Database)

Vulnerability Description

fontTools is a library for manipulating fonts, written in Python. The subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to resolve arbitrary entities when a candidate font (OT-SVG fonts), which contains a SVG table, is parsed. This allows attackers to include arbitrary files from the filesystem fontTools is running on or make web requests from the host system. This vulnerability has been patched in version 4.43.0.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

XML外部实体引用的不恰当限制(XXE)

Source: NVD (National Vulnerability Database)

Vulnerability Title

fontTools 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

fontTools是一个用 Python 编写的用于操作字体的库。 fontTools 4.43.0之前版本存在代码问题漏洞。攻击者利用该漏洞可以运行 fontTools 的文件系统的任意文件。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
fonttools	fonttools	>= 4.28.2, < 4.43.0	-

II. Public POCs for CVE-2023-45139

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-45139

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: fonttools

CVE-2025-66034
fontTools is Vulnerable to Arbitrary File Write and XML inje

Same vendor: fonttools

CVE-2025-66034
fontTools is Vulnerable to Arbitrary File Write and XML inje

Same weakness: CWE-611

V. Comments for CVE-2023-45139

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-45139

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-45139

III. Intelligence Information for CVE-2023-45139

IV. Related Vulnerabilities

V. Comments for CVE-2023-45139

Leave a comment