CVE-2026-27704
Directory Traversal in Dart and Flutter Pub Package Extraction
Publication date: 2026-02-25
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dart | dart_software_development_kit | to 3.11.0 (exc) |
| flutter | flutter | to 3.41.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27704 is a "Zip slip" vulnerability in the Dart and Flutter SDKs\' pub client tools (`dart pub` and `flutter pub`). When these tools extract package archives into the PUB_CACHE directory, a malicious package archive can exploit symbolic links combined with directory traversal sequences to extract files outside the intended destination directory.'}, {'type': 'paragraph', 'content': 'The issue arises because the extraction process did not normalize file paths before writing files, allowing attackers to use paths like `../` to escape the target directory and place files arbitrarily on the filesystem.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed by normalizing file paths before extraction, preventing directory traversal attacks via symlinks. The fix was released in Dart 3.11.0 and Flutter 3.41.0.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows a malicious package archive to extract files outside the intended package cache directory during installation. This could lead to arbitrary files being written anywhere on the filesystem where the user has write permissions.
However, the impact is limited because:
- All packages on pub.dev have been vetted to exclude this vulnerability.
- New packages are disallowed from containing symlinks.
- The pub client does not upload symlinks but duplicates linked entries.
- Users relying only on packages from pub.dev, trusted third-party repositories, or git dependencies are not affected.
The vulnerability does not allow unauthorized data access, modification, or denial of service, but it poses a risk of arbitrary file extraction outside the intended directory during package installation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves malicious package archives extracting files outside the intended directory via symlink and path traversal during package extraction by the pub client.
Detection can focus on monitoring the extraction process of Dart or Flutter packages, especially looking for unusual file writes outside the expected PUB_CACHE directory.
Since the vulnerability is related to path traversal in tar.gz extraction, you can check for suspicious archive contents before extraction by inspecting package archives for symlinks or path traversal sequences.
- Use commands like `tar -tzf <package>.tar.gz` to list archive contents and look for entries with `../` or symlinks.
- Monitor file system activity during package extraction to detect writes outside the expected directories, for example using `inotifywait` on Linux.
- Check the version of Dart and Flutter SDKs with `dart --version` and `flutter --version` to ensure they are at or above the fixed versions (Dart 3.11.0 and Flutter 3.41.0).
Because the pub client itself does not upload symlinks and all packages on pub.dev have been vetted, the risk is mainly from untrusted third-party or local packages.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade to Dart SDK version 3.11.0 or later and Flutter SDK version 3.41.0 or later, where the vulnerability has been fixed by normalizing file paths during extraction.
Avoid using untrusted or local package archives that might contain malicious symlinks or path traversal payloads.
Rely on packages from pub.dev or trusted third-party repositories and git dependencies, as these have been vetted or are not affected.
If upgrading immediately is not possible, manually inspect package archives for symlinks or suspicious paths before extraction.
Consider monitoring file system activity during package extraction to detect any unexpected writes outside the PUB_CACHE directory.