Cyber Resilience

CVE-2024-54461

Low

Published: 29 January 2025

Published
29 January 2025
Modified
30 July 2025
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 5.7th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54461 is a low-severity Relative Path Traversal (CWE-23) vulnerability in Flutter File Selector Android. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-54461 is a path traversal vulnerability (CWE-22, CWE-23) in the file_selector package, specifically the file_selector_android component within Flutter packages. The issue stems from missing sanitization checks on file names constructed from document providers, which can enable malicious providers to craft names that override internal files in an application's cache. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) and was published on 2025-01-29.

Exploitation requires local access to the target device, where an attacker installs a malicious document provider application. A victim user must then interact with a vulnerable app by selecting a document file from the attacker's provider, potentially allowing the attacker to overwrite critical files in the app's cache directory. This results in high integrity and availability impacts, such as corrupting app data or disrupting functionality, though no confidentiality loss occurs.

The Flutter packages security advisory (GHSA-r465-vhm9-7r5h) confirms the issue was patched in file_selector_android version 0.5.1+12. Security practitioners should recommend updating to the latest version of file_selector_android to mitigate the vulnerability.

EU & UK References

Vulnerability details

The file names constructed within file_selector are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select a document file from that provider while…

more

using your app and could potentially override internal files in your app cache. Issue patched in 0.5.1+12. It is recommended to update to the latest version of file_selector_android that contains the changes to address this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal enables direct overwrite of cached application files, facilitating stored data manipulation with integrity/availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-54462Same vendor: Flutter
CVE-2025-25371Shared CWE-22
CVE-2026-27625Shared CWE-22, CWE-23
CVE-2026-22070Shared CWE-22, CWE-23
CVE-2026-28265Shared CWE-22
CVE-2026-27704Same vendor: Flutter
CVE-2025-27410Shared CWE-22, CWE-23
CVE-2026-25121Shared CWE-22, CWE-23
CVE-2026-7404Shared CWE-22, CWE-23
CVE-2025-29789Shared CWE-22, CWE-23

Affected Assets

flutter
file selector android
0.5.1 — 0.5.1\+12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely flaw remediation through updating file_selector_android to the patched version 0.5.1+12 that includes file name sanitization.

prevent

Requires validation of file names constructed from document providers to prevent path traversal attacks that override app cache files.

prevent

Monitors and restricts user-installed software to block malicious document provider apps necessary for exploiting the file selection vulnerability.

References