Canva, the online graphic design platform, recently delved into font security, uncovering three critical vulnerabilities in what they describe as “strange places.” In a continuous effort to enhance their security processes, software, and tools, Canva explored less common attack surfaces, focusing on fonts as a complex and prevalent aspect of graphics processing. The findings revealed three type-related vulnerabilities, including a high-severity bug (CVE-2023-45139) in FontTools, a Python library for manipulating fonts. This bug allowed the creation of a subsetted font containing a potentially malicious file.
Two additional vulnerabilities, CVE-2024-25081 and CVE-2024-25082, rated at 4.2/10, were associated with naming conventions and compression in tools like FontForge and ImageMagick. The complex naming systems in fonts pose security challenges when operating on untrusted data, as demonstrated by Canva’s researchers who constructed a proof of concept, revealing potential unauthorized access through FontForge.
Canva emphasized the vulnerability of the font landscape, citing the need for unique typography by corporations and individuals, each with its own specifications. This isn’t a new issue; even Google addressed font security in 2015, highlighting memory corruption bugs during font processing. Canva advocates treating fonts as untrusted inputs and anticipates more research to enhance security maturity in this overlooked area.
