CVE-2026-27704

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dart-lang/pub/commit/26c6985c742593d081f8b58450f463a584a4203a	Patch
https://github.com/dart-lang/sdk/security/advisories/GHSA-q739-79rh-vmvp	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dart:dart_software_development_kit::::::::
	cpe:2.3:a:flutter:flutter::::::::

History

13 Mar 2026, 00:56

Type	Values Removed	Values Added
CPE		cpe:2.3:a:flutter:flutter:::::::: cpe:2.3:a:dart:dart_software_development_kit::::::::
Summary		(es) Los SDK de Dart y Flutter proporcionan kits de desarrollo de software para el lenguaje de programación Dart. En versiones del SDK de Dart anteriores a la 3.11.0 y del SDK de Flutter anteriores a la versión 3.41.0, cuando el cliente pub ('dart pub' y 'flutter pub') extrae un paquete en la caché de pub, un archivo de paquete malicioso puede tener archivos extraídos fuera del directorio de destino en el `PUB_CACHE`. Se ha implementado una corrección en el commit 26c6985c742593d081f8b58450f463a584a4203a. Al normalizar la ruta del archivo antes de escribir el archivo, el atacante ya no puede ascender a través de un enlace simbólico. Este parche se publica en Dart 3.11.0 y Flutter 3.41.0. Todos los paquetes en pub.dev han sido examinados para esta vulnerabilidad. Ya no se permite que los nuevos paquetes contengan enlaces simbólicos. El propio cliente pub no sube enlaces simbólicos, sino que duplica la entrada enlazada, y ha estado haciendo esto durante años. Aquellos cuyas dependencias provienen todas de pub.dev, repositorios de terceros de confianza para no contener código malicioso, o dependencias de git no se ven afectados por esta vulnerabilidad.
First Time		Dart Flutter flutter Dart dart Software Development Kit Flutter
References	~~() https://github.com/dart-lang/pub/commit/26c6985c742593d081f8b58450f463a584a4203a -~~	() https://github.com/dart-lang/pub/commit/26c6985c742593d081f8b58450f463a584a4203a - Patch
References	~~() https://github.com/dart-lang/sdk/security/advisories/GHSA-q739-79rh-vmvp -~~	() https://github.com/dart-lang/sdk/security/advisories/GHSA-q739-79rh-vmvp - Patch, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

25 Feb 2026, 16:23

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-25 16:23

Updated : 2026-03-13 00:56

NVD link : CVE-2026-27704

Mitre link : CVE-2026-27704

CVE.ORG link : CVE-2026-27704

JSON object : View

Products Affected

flutter

flutter

dart

dart_software_development_kit

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.5 /10