CVE-2026-27704

MEDIUM EPSS 27.5%
Published Feb 25, 20264mo ago · Modified Jun 17, 20261w ago
6.6 CVSS 4.0
Medium
Find Similar
Published Feb 25, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.

CVSS Details

Base Score
6.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
27.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 2

VendorProductVersionRange
dartdart_software_development_kit* <3.11.0
flutterflutter* <3.41.0

References 2

  • github.com https://github.com/dart-lang/pub/commit/26c6985c742593d081f8b58450f463a584a4203a
    Patch
  • github.com https://github.com/dart-lang/sdk/security/advisories/GHSA-q739-79rh-vmvp
    PatchVendor Advisory

Remediation

  • github.com https://github.com/dart-lang/pub/commit/26c6985c742593d081f8b58450f463a584a4203a
    Patch
  • github.com https://github.com/dart-lang/sdk/security/advisories/GHSA-q739-79rh-vmvp
    PatchVendor Advisory