CVE-2026-27704 Overview
A path traversal vulnerability exists in the Dart and Flutter SDKs affecting the pub client (dart pub and flutter pub). When extracting a package in the pub cache, a malicious package archive can leverage symlinks to write files outside the intended destination directory within the PUB_CACHE. This vulnerability affects Dart SDK versions prior to 3.11.0 and Flutter SDK versions prior to 3.41.0.
Critical Impact
Attackers can craft malicious packages that, when installed, write arbitrary files outside the pub cache directory, potentially overwriting system files or injecting malicious code into developer environments.
Affected Products
- Dart SDK versions prior to 3.11.0
- Flutter SDK versions prior to 3.41.0
- Applications using the pub client with untrusted package sources
Discovery Timeline
- 2026-02-25 - CVE CVE-2026-27704 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27704
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal). The flaw resides in the file extraction logic within lib/src/io.dart where the pub client processes tar.gz package archives. When extracting files from a package archive, the pub client constructs destination file paths by joining the destination directory with the file name from the archive entry. The vulnerability arises because the file path is not normalized before being used for file write operations.
An attacker can exploit this by crafting a malicious package archive containing symlinks that point to parent directories. Since the path is not normalized, symbolic links with ../ sequences can escape the intended PUB_CACHE directory boundary, allowing files to be written to arbitrary locations on the file system where the user running the pub client has write permissions.
Root Cause
The root cause is insufficient input validation on archive entry paths during extraction. The pub client failed to normalize file paths before writing extracted content, allowing directory traversal sequences embedded in symlinks to escape the designated extraction directory. The vulnerable code path directly joined destination paths with tar entry names without sanitization.
Attack Vector
The attack requires an adversary to publish or distribute a malicious Dart/Flutter package containing specially crafted archive entries with symlink-based path traversal sequences. When a developer installs the malicious package using dart pub get or flutter pub get, the extraction process writes files outside the intended cache directory. This is a network-based attack vector since packages are typically fetched from remote repositories.
while (await reader.moveNext()) {
final entry = reader.current;
- final filePath = p.joinAll([
- destination,
- // Tar file names always use forward slashes
- ...p.posix.split(entry.name),
- ]);
+ final filePath = p.normalize(
+ p.joinAll([
+ destination,
+ // Tar file names always use forward slashes
+ ...p.posix.split(entry.name),
+ ]),
+ );
if (!paths.add(filePath)) {
// The tar file contained the same entry twice. Assume it is broken.
await reader.cancel();
Source: GitHub Commit Details
The patch introduces p.normalize() around the joined file path, which resolves symlinks and removes directory traversal sequences before the file is written, effectively preventing the escape from the destination directory.
Detection Methods for CVE-2026-27704
Indicators of Compromise
- Unexpected files appearing outside of the PUB_CACHE directory after package installation
- Package archives containing symlinks with ../ path sequences in entry names
- Modified system or application files following dart pub get or flutter pub get operations
- Unusual file write activity from pub client processes to directories outside the cache
Detection Strategies
- Monitor file system operations from dart and flutter processes for writes outside the expected PUB_CACHE directory
- Implement file integrity monitoring on critical system directories to detect unauthorized modifications
- Scan incoming package archives for symlink entries containing directory traversal sequences
- Review pub cache contents for unexpected symlink structures pointing outside the cache
Monitoring Recommendations
- Enable verbose logging for pub client operations to capture file extraction paths
- Configure endpoint detection to alert on path traversal patterns in file operations
- Implement automated scanning of package dependencies for known vulnerability indicators
- Set up alerts for file modifications in system directories coinciding with package installation activity
How to Mitigate CVE-2026-27704
Immediate Actions Required
- Upgrade Dart SDK to version 3.11.0 or later immediately
- Upgrade Flutter SDK to version 3.41.0 or later immediately
- Audit recently installed packages from untrusted sources for potential compromise
- Review file system for unexpected modifications outside the pub cache directory
Patch Information
The vulnerability has been addressed in commit 26c6985c742593d081f8b58450f463a584a4203a. The fix normalizes file paths before writing, preventing attackers from escaping the destination directory via symlinks. This patch is included in Dart 3.11.0 and Flutter 3.41.0. All packages hosted on pub.dev have been vetted for this vulnerability, and new packages are no longer permitted to contain symlinks.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Use only packages from trusted sources such as pub.dev, which has been vetted and no longer allows symlinks
- Avoid installing packages from third-party repositories or git dependencies that have not been security reviewed
- Run pub client operations in sandboxed environments with restricted file system access
- Implement file system access controls to limit write permissions outside the pub cache directory
# Check current Dart SDK version
dart --version
# Upgrade Dart SDK to patched version
# For standalone Dart:
brew upgrade dart # macOS
choco upgrade dart-sdk # Windows
# Check current Flutter SDK version
flutter --version
# Upgrade Flutter SDK to patched version
flutter upgrade
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
