Dart and Flutter SDKs allow malicious packages to write outside their directory

Summary

In older versions of the Dart and Flutter SDKs, a malicious package could potentially write files to the wrong directory. This has been fixed in versions 3.11.0 of the Dart SDK and 3.41.0 of the Flutter SDK. If you're using these SDKs, update to the latest versions to stay secure.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
dart	dart_software_development_kit	<= 3.11.0	–
flutter	flutter	<= 3.41.0	–

Original title

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub ...

Original description

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.

nvd CVSS4.0 6.6

Vulnerability type

CWE-22 Path Traversal