Facebook has disclosed a critical FreeType vulnerability (CVE-2025-27363) that can enable arbitrary code execution and has reportedly been exploited in real-world attacks.
FreeType, an open-source font rendering library used in Linux, Android, game engines, and online platforms, was vulnerable in all versions up to 2.13.0 before it was patched on February 9, 2023.
The flaw stems from an out-of-bounds write when parsing specific TrueType font structures, allowing attackers to overwrite memory and potentially execute malicious code.
While Facebook has not clarified whether the attacks were observed on its platform or elsewhere, the company emphasized the urgency of addressing the issue.
Given the widespread use of FreeType, software developers and administrators must update to version 2.13.3 immediately to mitigate the risk.
Older FreeType versions may remain embedded in software for years, making proactive patching essential to prevent exploitation.
Facebook stated that it routinely reports security vulnerabilities in open-source software to enhance cybersecurity across the internet.
Users and organizations should remain vigilant, ensuring their systems are protected against potential attacks leveraging this vulnerability.