CVE-2026-27704

Name of the Vulnerable Software and Affected Versions Dart SDK versions prior to 3.11.0 Flutter SDK versions prior to 3.41.0

Description The Dart and Flutter SDKs are susceptible to a path traversal issue within the pub client (dart pub and flutter pub) when extracting package archives from the PUB CACHE. A malicious package archive could potentially write files outside the intended destination directory. This occurs because the pub client does not properly normalize file paths before writing files, allowing an attacker to traverse up the directory structure using symlinks. The issue is addressed by normalizing the file path before writing, preventing unauthorized file access. All packages on pub.dev have been vetted for this issue, and new packages are no longer permitted to contain symlinks.

Recommendations Dart SDK versions prior to 3.11.0 should be updated to version 3.11.0 or later. Flutter SDK versions prior to 3.41.0 should be updated to version 3.41.0 or later.