Facebook has warned about a critical vulnerability in the FreeType font rendering library that could allow hackers to execute malicious code.
The flaw, tracked as CVE-2025-27363, affects all versions up to 2.13.0 and has reportedly been exploited in attacks.
FreeType is widely used across Linux, Android, game engines, and various online platforms. The vulnerability, rated 8.1 (high severity) under CVSS v3, was fixed in FreeType 2.13.0 on February 9, 2023. However, older versions remain at risk, prompting urgent updates.
The issue stems from an out-of-bounds write when parsing specific font structures. This could lead to memory corruption, potentially allowing attackers to execute arbitrary code. Facebook’s security team has not confirmed whether the attacks occurred on its platform but stresses the need for immediate action.
Developers and system administrators are urged to upgrade to FreeType 2.13.3, the latest version, to protect against this exploit. Meta, Facebook’s parent company, emphasized its commitment to online security, stating, “We report security bugs in open source software when we find them because it strengthens online security for everyone.”
