FreeType is an open source and free font rendering library. The rendering library is mainly used to display text and add text to images programmatically. With this open source library, developers can also load, rasterize and render fonts in various formats, such as TTF fonts or OTF fonts.

According to statistics, this rendering library has also been installed on millions of devices or services, including but not limited to Linux, Android, game engines, GUI frameworks or various online platforms.

The security research laboratory owned by the social media company Facebook recently announced a security vulnerability in FreeType. The vulnerability is numbered CVE-2025-27363 and has a vulnerability score of 8.1/10.

This vulnerability has been fixed in FreeType version 2.13.0 released on February 9, 2023. Why did Facebook only disclose this vulnerability now? Because they are worried that operating system and software developers will not have time to fix them, causing vulnerabilities to be exploited by hackers.

Facebook stated in the vulnerability description:

FreeType prior to version 2.13.0 had an out-of-bounds write when trying to parse font subglyph structures associated with TrueTypeGx and variable font files. The vulnerable code would assign a signed short value to an unsigned long value and also add a static value, causing it to wrap around and allocate a heap buffer that was too small. The code will then write up to 6 signed longs outside the bounds relative to this buffer, potentially leading to arbitrary code execution.

In fact, even if the version that fixes the vulnerability was released 2 years ago, a large number of projects are still using the old version containing security vulnerabilities. Facebook recommends that software developers and project managers should upgrade to FreeType 2.13.0+ version as soon as possible. After all, hackers have already tried to exploit this vulnerability to launch attacks.

What's interesting is that discovering this vulnerability can be difficult. Perhaps Facebook relies on FreeType to some extent to discover such vulnerabilities during daily security research, but it is unclear whether Facebook discovered the vulnerability from its own platform or while researching external projects.