DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2MHW-8QCG-GR96: GHSA-2mhw-8qcg-gr96: Supply Chain RCE in skia-python via Vendored libfreetype (CVE-2025-27363)

#security #cve #cybersecurity #ghsa

GHSA-2mhw-8qcg-gr96: Supply Chain RCE in skia-python via Vendored libfreetype (CVE-2025-27363)

Vulnerability ID: GHSA-2MHW-8QCG-GR96
CVSS Score: 8.1
Published: 2026-03-19

The skia-python package implicitly vendors a vulnerable version of libfreetype in its Linux wheel distributions, exposing applications to CVE-2025-27363. This underlying out-of-bounds write vulnerability allows for unauthenticated remote code execution via specially crafted font files.

TL;DR

A critical supply chain vulnerability in skia-python Linux wheels packages an outdated libfreetype binary. This exposes consumers to CVE-2025-27363, a weaponized out-of-bounds write flaw triggered by parsing malicious font files, leading to remote code execution.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • Vulnerability Type: Out-of-bounds Write (CWE-787)
  • CVSS v3.1 Score: 8.1 (High)
  • EPSS Probability: 76.15%
  • Attack Vector: Network (Malicious Font Parsing)
  • Exploit Status: Weaponized / Active
  • CISA KEV Status: Listed (via CVE-2025-27363)

Affected Systems

  • skia-python < 144.0.post1 (Linux Wheels)
  • libfreetype <= 2.13.0
  • skia-python (Linux Wheels): < 144.0.post1 (Fixed in: 144.0.post1)
  • freetype: <= 2.13.0 (Fixed in: 2.13.1)

Code Analysis

Commit: ef63669

Upstream FreeType fix for CVE-2025-27363 addressing the integer wrap-around and OOB write in ttgload.c

Exploit Details

  • GitHub (zhuowei): A font-based crash PoC for FreeType 2.13.0 demonstrating the Out-of-bounds Write.
  • GitHub (tin-z): A full RCE exploit targeting Chrome headless mode on Ubuntu via CVE-2025-27363.

Mitigation Strategies

  • Upgrade skia-python to version 144.0.post1 or higher.
  • Update base manylinux container images to ensure system freetype-devel is version 2.9.1-10 or newer.
  • Implement file-type validation to strip or reject untrusted TrueType GX and variable font files.

Remediation Steps:

  1. Identify all internal services and applications utilizing the skia-python library.
  2. Execute pip install --upgrade skia-python>=144.0.post1 in all environments.
  3. For custom builds, run yum update freetype-devel inside the cibuildwheel container environment prior to executing build_Linux.sh.
  4. Scan container images with SCA tools capable of identifying vendored C/C++ libraries within Python wheels.

References

Read the full report for GHSA-2MHW-8QCG-GR96 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)