Canva’s deep dive into the world of font security has uncovered three unexpected vulnerabilities and revealed how choosing the wrong font could spell a cybersecurity disaster.
In an effort to improve the security of its tools, Canva has been investigating lesser-explored attack surfaces, including fonts, which play an integral role in graphics processing.
Three vulnerabilities are highlighted in a report titled “Fonts are still a Helvetica of a Problem,” with Canva ultimately stating that the font landscape is actually quite rich in attack surfaces.
Canva cares about the font you use
The first vulnerability, tracked as CVE-2023-45139, was discovered in FontTools, a Python library for manipulating fonts. Canva discovered that when processing an SVG table to subset a font, FontTools could use an untrusted XML file, leading to an XML External Entity (XXE) vulnerability.
The researchers exploited this vulnerability to produce a subset font containing an SVG table with the payload /etc/passwd. FontTools released a patch three days after it was notified of the vulnerability in September 2023.
The other two vulnerabilities, CVE-2024-25081 and CVE-2024-25082, both rated 4.2/10, were related to naming conventions and font compression. Canva discovered the potential for command injection when handling filenames in tools like FontForge and ImageMagick. Both have also been addressed.
Canva recognized the timely work of open-source font software and tool administrators, noting that IT staff should “treat fonts like any other untrusted input” by implementing sandboxing and using tools like OpenType-Sanitizer.
This isn’t the first time font security has been raised; Google explored similar issues almost a decade ago. But with the increased prevalence and more serious consequences of cyber attacks, Canva’s recommendation that we pay attention to less obvious attack surfaces is a mighty sensible one.