CVE-2026-27704 is a path traversal vulnerability classified under CWE-22 affecting the Dart and Flutter SDKs before versions 3.11.0 and 3.41.0, respectively. The vulnerability arises during the extraction process of package archives by the pub client (`dart pub` and `flutter pub`) into the PUB_CACHE directory. A maliciously crafted package archive can exploit improper pathname normalization to escape the intended extraction directory by leveraging symbolic links, thereby writing files outside the restricted directory. This can lead to unauthorized file creation or overwriting on the host system, potentially compromising confidentiality or integrity of the environment where the SDK is used. The root cause was the lack of normalization of file paths before extraction, allowing traversal sequences to bypass directory restrictions. The fix, implemented in commit 26c6985c742593d081f8b58450f463a584a4203a and released in Dart 3.11.0 and Flutter 3.41.0, normalizes file paths to prevent symlink traversal. Additionally, pub.dev enforces vetting of packages to exclude symlinks, and the pub client duplicates linked entries instead of uploading symlinks, reducing risk from official packages. Users relying on trusted third-party or git dependencies are not affected. The vulnerability has a CVSS 4.0 base score of 6.6, indicating medium severity with network attack vector, no privileges or user interaction required, and high confidentiality impact. No known exploits have been reported in the wild as of publication.

The vulnerability allows an attacker to write files outside the intended package cache directory during package extraction, potentially leading to unauthorized file creation or modification on the host system. This can compromise the confidentiality and integrity of the affected environment, especially if the attacker can place malicious executables, configuration files, or scripts in sensitive locations. Since the pub client operates without requiring user interaction or privileges, a remote attacker who can supply a malicious package archive could exploit this vulnerability to affect developers or CI/CD systems that automatically fetch and extract Dart or Flutter packages. The impact is particularly significant for organizations that consume untrusted or third-party Dart packages outside of vetted repositories. However, the risk is mitigated for users relying solely on pub.dev or trusted git dependencies. The vulnerability does not directly affect availability but can facilitate further attacks or persistence mechanisms if exploited. Overall, the threat could lead to supply chain compromise and unauthorized code execution in development environments.

1. Upgrade to Dart SDK version 3.11.0 or later and Flutter SDK version 3.41.0 or later to apply the official patch that normalizes file paths during extraction. 2. Restrict package sources to trusted repositories such as pub.dev, which vets packages to exclude symlinks, or trusted git dependencies. 3. Implement strict controls and scanning on third-party or private package archives before use, including verifying absence of symlinks or path traversal payloads. 4. Use sandboxed or isolated environments for package extraction to limit potential damage from malicious archives. 5. Monitor file system changes in the PUB_CACHE directory and related paths for unusual activity indicative of exploitation attempts. 6. Educate developers and CI/CD operators about the risks of using untrusted packages and encourage best practices in dependency management. 7. Consider integrating automated security scanning tools that detect path traversal or symlink abuse in package archives prior to installation.