CVE-2025-65112 is a critical missing authorization vulnerability (CWE-862) in ricardoboss PubNet, a self-hosted package service for Dart and Flutter ecosystems. The vulnerability exists in versions prior to 1.1.3, specifically in the /api/storage/upload REST API endpoint. This endpoint does not enforce authentication or authorization checks, allowing any unauthenticated user to upload packages while specifying arbitrary author-id values. Consequently, attackers can impersonate legitimate users, escalating privileges and injecting malicious packages into the supply chain. This can lead to widespread compromise of downstream software that relies on these packages. The vulnerability also relates to CWE-306 (missing authentication), compounding the risk. The CVSS 3.1 score of 9.4 indicates network exploitable (AV:N), no privileges required (PR:N), no user interaction (UI:N), with high confidentiality and integrity impacts and low availability impact. Although no known exploits are currently reported in the wild, the ease of exploitation and potential damage make this a critical threat. The issue was publicly disclosed on November 29, 2025, and patched in version 1.1.3 of PubNet. Organizations using PubNet for internal or external package hosting must urgently update to prevent identity spoofing and supply chain compromise.

For European organizations, this vulnerability poses a significant risk to software supply chain integrity and trust. Attackers can upload malicious packages masquerading as trusted developers, potentially distributing malware or backdoors to internal applications or public-facing software. This can lead to data breaches, intellectual property theft, and operational disruptions. The identity spoofing aspect undermines accountability and audit trails, complicating incident response. Organizations relying on PubNet for Dart and Flutter package management, especially in sectors like finance, healthcare, and critical infrastructure, face elevated risks. The widespread adoption of Dart and Flutter in Europe’s growing mobile and web development markets increases the attack surface. Furthermore, supply chain attacks can cascade, affecting partner organizations and customers, amplifying the impact across the European digital ecosystem.

Immediate mitigation requires upgrading all PubNet instances to version 1.1.3 or later, where the authorization checks on the /api/storage/upload endpoint are enforced. Organizations should audit all package uploads during the vulnerable period to detect unauthorized or suspicious packages. Implement network-level access controls to restrict access to the PubNet API to trusted users and systems. Employ multi-factor authentication and robust identity management for package repository access. Integrate package signing and verification mechanisms to ensure package integrity and provenance. Monitor logs for anomalous upload activity and conduct regular security assessments of the package infrastructure. Additionally, educate developers and DevOps teams about supply chain risks and enforce strict policies on package acceptance and deployment.