The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27704

CVE-2026-27704: Dart and Flutter SDK Path Traversal Flaw

CVE-2026-27704 is a path traversal vulnerability in Dart and Flutter SDKs that allows malicious packages to extract files outside the PUB_CACHE directory. This article covers technical details, affected versions, and patches.

Published: February 27, 2026

CVE-2026-27704 Overview

A path traversal vulnerability exists in the Dart and Flutter SDKs affecting the pub client (dart pub and flutter pub). When extracting a package in the pub cache, a malicious package archive can leverage symlinks to write files outside the intended destination directory within the PUB_CACHE. This vulnerability affects Dart SDK versions prior to 3.11.0 and Flutter SDK versions prior to 3.41.0.

Critical Impact

Attackers can craft malicious packages that, when installed, write arbitrary files outside the pub cache directory, potentially overwriting system files or injecting malicious code into developer environments.

Affected Products

  • Dart SDK versions prior to 3.11.0
  • Flutter SDK versions prior to 3.41.0
  • Applications using the pub client with untrusted package sources

Discovery Timeline

  • 2026-02-25 - CVE CVE-2026-27704 published to NVD
  • 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2026-27704

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Path Traversal). The flaw resides in the file extraction logic within lib/src/io.dart where the pub client processes tar.gz package archives. When extracting files from a package archive, the pub client constructs destination file paths by joining the destination directory with the file name from the archive entry. The vulnerability arises because the file path is not normalized before being used for file write operations.

An attacker can exploit this by crafting a malicious package archive containing symlinks that point to parent directories. Since the path is not normalized, symbolic links with ../ sequences can escape the intended PUB_CACHE directory boundary, allowing files to be written to arbitrary locations on the file system where the user running the pub client has write permissions.

Root Cause

The root cause is insufficient input validation on archive entry paths during extraction. The pub client failed to normalize file paths before writing extracted content, allowing directory traversal sequences embedded in symlinks to escape the designated extraction directory. The vulnerable code path directly joined destination paths with tar entry names without sanitization.

Attack Vector

The attack requires an adversary to publish or distribute a malicious Dart/Flutter package containing specially crafted archive entries with symlink-based path traversal sequences. When a developer installs the malicious package using dart pub get or flutter pub get, the extraction process writes files outside the intended cache directory. This is a network-based attack vector since packages are typically fetched from remote repositories.

text
   while (await reader.moveNext()) {
     final entry = reader.current;
 
-    final filePath = p.joinAll([
-      destination,
-      // Tar file names always use forward slashes
-      ...p.posix.split(entry.name),
-    ]);
+    final filePath = p.normalize(
+      p.joinAll([
+        destination,
+        // Tar file names always use forward slashes
+        ...p.posix.split(entry.name),
+      ]),
+    );
     if (!paths.add(filePath)) {
       // The tar file contained the same entry twice. Assume it is broken.
       await reader.cancel();

Source: GitHub Commit Details

The patch introduces p.normalize() around the joined file path, which resolves symlinks and removes directory traversal sequences before the file is written, effectively preventing the escape from the destination directory.

Detection Methods for CVE-2026-27704

Indicators of Compromise

  • Unexpected files appearing outside of the PUB_CACHE directory after package installation
  • Package archives containing symlinks with ../ path sequences in entry names
  • Modified system or application files following dart pub get or flutter pub get operations
  • Unusual file write activity from pub client processes to directories outside the cache

Detection Strategies

  • Monitor file system operations from dart and flutter processes for writes outside the expected PUB_CACHE directory
  • Implement file integrity monitoring on critical system directories to detect unauthorized modifications
  • Scan incoming package archives for symlink entries containing directory traversal sequences
  • Review pub cache contents for unexpected symlink structures pointing outside the cache

Monitoring Recommendations

  • Enable verbose logging for pub client operations to capture file extraction paths
  • Configure endpoint detection to alert on path traversal patterns in file operations
  • Implement automated scanning of package dependencies for known vulnerability indicators
  • Set up alerts for file modifications in system directories coinciding with package installation activity

How to Mitigate CVE-2026-27704

Immediate Actions Required

  • Upgrade Dart SDK to version 3.11.0 or later immediately
  • Upgrade Flutter SDK to version 3.41.0 or later immediately
  • Audit recently installed packages from untrusted sources for potential compromise
  • Review file system for unexpected modifications outside the pub cache directory

Patch Information

The vulnerability has been addressed in commit 26c6985c742593d081f8b58450f463a584a4203a. The fix normalizes file paths before writing, preventing attackers from escaping the destination directory via symlinks. This patch is included in Dart 3.11.0 and Flutter 3.41.0. All packages hosted on pub.dev have been vetted for this vulnerability, and new packages are no longer permitted to contain symlinks.

For detailed patch information, refer to the GitHub Security Advisory.

Workarounds

  • Use only packages from trusted sources such as pub.dev, which has been vetted and no longer allows symlinks
  • Avoid installing packages from third-party repositories or git dependencies that have not been security reviewed
  • Run pub client operations in sandboxed environments with restricted file system access
  • Implement file system access controls to limit write permissions outside the pub cache directory
bash
# Check current Dart SDK version
dart --version

# Upgrade Dart SDK to patched version
# For standalone Dart:
brew upgrade dart  # macOS
choco upgrade dart-sdk  # Windows

# Check current Flutter SDK version  
flutter --version

# Upgrade Flutter SDK to patched version
flutter upgrade

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechDart
  • SeverityMEDIUM
  • CVSS Score6.6
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-22
  • Technical References
  • GitHub Commit Details
  • GitHub Security Advisory
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English