In a barebones advisory, Facebook warned that the security defect was found in FreeType versions 2.13.0 and below and provides a pathway for arbitrary code execution attacks.

“This vulnerability may have been exploited in the wild,” Facebook said, without providing any details on the reported attacks. The bug has been tagged as CVE-2025-27363 and carries a CVSS severity score of 8.1 out of 10.