CVE-2024-54462
Published: 29 January 2025
Summary
CVE-2024-54462 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Flutter Image Picker Android. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the missing sanitization checks on file names from malicious document providers by enforcing validation of inputs to prevent path traversal and cache file overrides.
Mitigates the vulnerability by requiring timely identification, reporting, and patching of the flaw in image_picker_android, as fixed in version 0.8.12+18.
Restricts file name inputs from document providers to safe formats or patterns, reducing the risk of relative path traversal exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables local file overwrite via malicious document provider (user execution of malicious app) and direct stored data manipulation in app cache.
NVD Description
The file names constructed within image_picker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select an image file from that provider while…
more
using your app and could potentially override internal files in your app cache. Issue patched in 0.8.12+18. It is recommended to update to the latest version of image_picker_android that contains the changes to address this vulnerability.
Deeper analysisAI
CVE-2024-54462 is a vulnerability in the image_picker package, specifically the image_picker_android component used in Flutter applications. The issue stems from missing sanitization checks on file names constructed within image_picker, making them susceptible to manipulation by malicious document providers. This flaw, classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-23 (Relative Path Traversal), carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating high impact on integrity and availability.
An attacker can exploit this vulnerability by tricking a user into installing a malicious document provider on an Android device. Once installed, the user must interact with the vulnerable app by selecting an image file via the image_picker functionality from the attacker's provider. This allows the attacker to craft malicious file names that override internal files in the app's cache directory, potentially disrupting app functionality or enabling further compromise through cache poisoning.
The GitHub security advisory (GHSA-98v2-f47x-89xw) confirms the issue was patched in image_picker_android version 0.8.12+18. Developers are advised to update to the latest version of image_picker_android incorporating these fixes to mitigate the vulnerability.
Details
- CWE(s)