Security: CVE-2025-27363 – FreeType dependency via Skia in Flutter

[matheusmourafpf]

Hello,

A security scan on a Flutter-based mobile application identified the CVE-2025-27363
affecting the FreeType library (out-of-bounds write, potential RCE).

Current situation:

• The application itself does not include FreeType directly
• FreeType is bundled through Skia in Flutter
• Security scanners detect FreeType version <= 2.13.0, which is affected by CVE-2025-27363

Impact and Severity:

• The vulnerability may result in arbitrary code execution, depending on how the affected FreeType code paths are used.
• The CVSS v3.1 score is 8.1 (HIGH) according to NVD.
• This CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating potential exploitation in the wild.

Known Remediation Requirements:

• FreeType versions ≤ 2.13.0 are affected
• FreeType ≥ 2.13.1 includes the fix and is not affected by this vulnerability

References:

• CVE details (NVD): https://nvd.nist.gov/vuln/detail/CVE-2025-27363

Questions:

1. Is there a planned update to Skia/FreeType to address CVE-2025-27363?
2. Is there any recommended mitigation for Flutter applications until an official update is available?

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.