CVE-2026-27704— Dart SDK and Flutter SDK have Zip slip in Dart Pub package extraction

Dart SDK and Flutter SDK have Zip slip in Dart Pub package extraction

The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.

N/A

对路径名的限制不恰当(路径遍历)

Dart 路径遍历漏洞

Dart是Dart开源的一款开源的编程语言。 Dart存在路径遍历漏洞，该漏洞源于pub客户端在提取包时，恶意包存档中的文件可能被提取到PUB_CACHE中目标目录之外，可能导致路径遍历攻击。

N/A

N/A