CVE-2024-54462

LOW EPSS 9.8%
Published Jan 29, 20251y ago · Modified Jun 17, 20261w ago
2.1 CVSS 4.0
Low
Find Similar
Published Jan 29, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

The file names constructed within image_picker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select an image file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.8.12+18. It is recommended to update to the latest version of image_picker_android that contains the changes to address this vulnerability.

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
9.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt
CWE-23

Affected Products 1

VendorProductVersionRange
flutterimage_picker_android*≥0.8.5\+6  –  <0.8.12\+18

References 1

  • github.com https://github.com/flutter/packages/security/advisories/GHSA-98v2-f47x-89xw
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.