Description
The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.
Published: 2026-02-25
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local File Overwrite via Path Traversal
Action: Immediate Patch
AI Analysis

Impact

The Dart and Flutter SDK’s pub client extracts packages into the user’s PUB_CACHE directory. In SDK versions earlier than Dart 3.11.0 and Flutter 3.41.0, the extraction routine did not normalize the file path of items inside a package archive. A malicious package could therefore include a symlink that points to a location outside the intended cache, allowing the pub client to create or overwrite arbitrary files on the host filesystem. This represents a classic path‑traversal flaw (CWE‑22). The vulnerability was addressed in commit 26c6985c742593d081f8b58450f463a584a4203a, where path normalization is performed before writing files, and new packages are prevented from containing symlinks. Consequently, only the older SDK releases remain affected.

Affected Systems

Affected are Dart SDK prior to version 3.11.0 and Flutter SDK prior to version 3.41.0. These are distributed by dart‑lang and flutter. Packages on pub.dev that include symlinks trigger the flaw; any dependencies that are exclusively from pub.dev, trusted third‑party repositories that do not ship malicious code, or git repositories do not trigger the vulnerability.

Risk and Exploitability

CVSS 6.6 denotes medium severity. EPSS below 1 % indicates very low likelihood of exploitation, and the issue is not listed in CISA’s KEV catalog. Exploitation requires the attacker to deliver a malicious package archive, typically by controlling a package on pub.dev or a git repository trusted by the user. Successful exploitation results in local file overwrite, which could compromise build artifacts or introduce malicious code into the codebase.

Generated by OpenCVE AI on April 18, 2026 at 10:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Dart SDK to version 3.11.0 or newer and the Flutter SDK to version 3.41.0 or newer.
  • Verify that all dependencies are sourced from pub.dev and that no packages contain symlinks; trust only packages that have been vetted by the repository.
  • If an immediate upgrade is not possible, audit the local pub cache for symlinks and remove any packages that contain them, or restrict future package installations to use only signed packages from trusted registries.

Generated by OpenCVE AI on April 18, 2026 at 10:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Dart
Dart dart Software Development Kit
Flutter
Flutter flutter
CPEs cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*
cpe:2.3:a:flutter:flutter:*:*:*:*:*:*:*:*
Vendors & Products Dart
Dart dart Software Development Kit
Flutter
Flutter flutter
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Dart-lang
Dart-lang flutter
Dart-lang sdk
Vendors & Products Dart-lang
Dart-lang flutter
Dart-lang sdk

Thu, 26 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.
Title Dart SDK and Flutter SDK have Zip slip in Dart Pub package extraction
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Dart Dart Software Development Kit
Dart-lang Flutter Sdk
Flutter Flutter
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:27:35.486Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27704

cve-icon Vulnrichment

Updated: 2026-02-25T20:27:29.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T16:23:26.960

Modified: 2026-03-13T00:56:42.250

Link: CVE-2026-27704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses