CVE-2026-27704
Published: 25 February 2026
Summary
CVE-2026-27704 is a high-severity Path Traversal (CWE-22) vulnerability in Dart Dart Software Development Kit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in pub package extraction enables malicious untrusted packages (outside pub.dev) to write attacker-controlled files to arbitrary system locations when a developer runs pub get, directly facilitating supply chain compromise of dev dependencies and user-assisted execution of malicious artifacts.
NVD Description
The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`)…
more
extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.
Deeper analysisAI
CVE-2026-27704 (CVSS 7.5, CWE-22) is a path traversal vulnerability in the pub client (`dart pub` and `flutter pub`) of the Dart SDK prior to version 3.11.0 and the Flutter SDK prior to version 3.41.0. During package extraction to the PUB_CACHE, a malicious package archive can exploit symlink traversal to extract files outside the intended destination directory.
A remote attacker requires no privileges or user interaction beyond tricking a developer into running `pub get` on a malicious package. Such packages must originate outside pub.dev, trusted third-party repositories, or git dependencies. Exploitation results in high confidentiality impact through unauthorized file extraction beyond the cache.
The vulnerability is addressed in Dart SDK 3.11.0 and Flutter SDK 3.41.0 via commit 26c6985c742593d081f8b58450f463a584a4203a, which normalizes file paths before writing to block symlink traversal. All packages on pub.dev have been vetted for this issue, new packages cannot contain symlinks, and the pub client has long duplicated rather than uploaded symlinks. Dependencies solely from pub.dev, trusted repositories, or git remain unaffected.
Details
- CWE(s)