CVE-2026-27704
Received Received - Intake
Directory Traversal in Dart and Flutter Pub Package Extraction

Publication date: 2026-02-25

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27704
EUVD
EUVD-2026-8647
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dart dart_software_development_kit to 3.11.0 (exc)
flutter flutter to 3.41.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27704 is a "Zip slip" vulnerability in the Dart and Flutter SDKs\' pub client tools (`dart pub` and `flutter pub`). When these tools extract package archives into the PUB_CACHE directory, a malicious package archive can exploit symbolic links combined with directory traversal sequences to extract files outside the intended destination directory.'}, {'type': 'paragraph', 'content': 'The issue arises because the extraction process did not normalize file paths before writing files, allowing attackers to use paths like `../` to escape the target directory and place files arbitrarily on the filesystem.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed by normalizing file paths before extraction, preventing directory traversal attacks via symlinks. The fix was released in Dart 3.11.0 and Flutter 3.41.0.'}] [1, 2]

Impact Analysis

This vulnerability allows a malicious package archive to extract files outside the intended package cache directory during installation. This could lead to arbitrary files being written anywhere on the filesystem where the user has write permissions.

However, the impact is limited because:

  • All packages on pub.dev have been vetted to exclude this vulnerability.
  • New packages are disallowed from containing symlinks.
  • The pub client does not upload symlinks but duplicates linked entries.
  • Users relying only on packages from pub.dev, trusted third-party repositories, or git dependencies are not affected.

The vulnerability does not allow unauthorized data access, modification, or denial of service, but it poses a risk of arbitrary file extraction outside the intended directory during package installation.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves malicious package archives extracting files outside the intended directory via symlink and path traversal during package extraction by the pub client.

Detection can focus on monitoring the extraction process of Dart or Flutter packages, especially looking for unusual file writes outside the expected PUB_CACHE directory.

Since the vulnerability is related to path traversal in tar.gz extraction, you can check for suspicious archive contents before extraction by inspecting package archives for symlinks or path traversal sequences.

  • Use commands like `tar -tzf <package>.tar.gz` to list archive contents and look for entries with `../` or symlinks.
  • Monitor file system activity during package extraction to detect writes outside the expected directories, for example using `inotifywait` on Linux.
  • Check the version of Dart and Flutter SDKs with `dart --version` and `flutter --version` to ensure they are at or above the fixed versions (Dart 3.11.0 and Flutter 3.41.0).

Because the pub client itself does not upload symlinks and all packages on pub.dev have been vetted, the risk is mainly from untrusted third-party or local packages.

Mitigation Strategies

The primary mitigation is to upgrade to Dart SDK version 3.11.0 or later and Flutter SDK version 3.41.0 or later, where the vulnerability has been fixed by normalizing file paths during extraction.

Avoid using untrusted or local package archives that might contain malicious symlinks or path traversal payloads.

Rely on packages from pub.dev or trusted third-party repositories and git dependencies, as these have been vetted or are not affected.

If upgrading immediately is not possible, manually inspect package archives for symlinks or suspicious paths before extraction.

Consider monitoring file system activity during package extraction to detect any unexpected writes outside the PUB_CACHE directory.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart