CVE-2024-54461

High

Published: 29 January 2025

Published

29 January 2025

Modified

30 July 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS Score 0.0002 5.6th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-54461 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Flutter File Selector Android. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Stored Data Manipulation (T1565.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely flaw remediation through updating file_selector_android to the patched version 0.5.1+12 that includes file name sanitization.

SI-10 Information Input Validation good match

prevent

Requires validation of file names constructed from document providers to prevent path traversal attacks that override app cache files.

CM-11 User-installed Software partial match

prevent

Monitors and restricts user-installed software to block malicious document provider apps necessary for exploiting the file selection vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Path traversal enables direct overwrite of cached application files, facilitating stored data manipulation with integrity/availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The file names constructed within file_selector are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select a document file from that provider while…

using your app and could potentially override internal files in your app cache. Issue patched in 0.5.1+12. It is recommended to update to the latest version of file_selector_android that contains the changes to address this vulnerability.

Deeper analysisAI

CVE-2024-54461 is a path traversal vulnerability (CWE-22, CWE-23) in the file_selector package, specifically the file_selector_android component within Flutter packages. The issue stems from missing sanitization checks on file names constructed from document providers, which can enable malicious providers to craft names that override internal files in an application's cache. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H) and was published on 2025-01-29.

Exploitation requires local access to the target device, where an attacker installs a malicious document provider application. A victim user must then interact with a vulnerable app by selecting a document file from the attacker's provider, potentially allowing the attacker to overwrite critical files in the app's cache directory. This results in high integrity and availability impacts, such as corrupting app data or disrupting functionality, though no confidentiality loss occurs.

The Flutter packages security advisory (GHSA-r465-vhm9-7r5h) confirms the issue was patched in file_selector_android version 0.5.1+12. Security practitioners should recommend updating to the latest version of file_selector_android to mitigate the vulnerability.