CVE-2026-27704 is a path traversal vulnerability classified under CWE-22 affecting the Dart and Flutter SDKs' package manager (pub client) prior to Dart 3.11.0 and Flutter 3.41.0. The vulnerability arises during the extraction of package archives into the PUB_CACHE directory. Maliciously crafted package archives containing symlinks can cause files to be extracted outside the intended directory by traversing up the directory tree, potentially overwriting arbitrary files on the host system. This occurs because the extraction process did not properly normalize file paths before writing, allowing directory traversal via symlink resolution. The vulnerability is mitigated by a patch that normalizes file paths before extraction, effectively preventing symlink-based traversal attacks. The pub client itself does not upload symlinks but duplicates linked entries, and pub.dev has enforced policies disallowing symlinks in new packages. Users relying solely on vetted packages from pub.dev or trusted git repositories are not affected. The vulnerability has a CVSS 4.0 score of 6.6, reflecting medium severity with network attack vector, no privileges or user interaction required, and high impact on confidentiality due to potential arbitrary file writes. No exploits have been observed in the wild to date.

The primary impact of this vulnerability is the potential for an attacker to write or overwrite arbitrary files on a victim's system by publishing a malicious package that exploits the path traversal during extraction. This can lead to unauthorized modification of system or application files, potentially enabling code execution, privilege escalation, or persistent backdoors if critical files are overwritten. Organizations using vulnerable versions of the Dart or Flutter SDKs and incorporating untrusted or third-party packages outside of vetted repositories are at risk. The impact is mitigated for users relying exclusively on pub.dev packages due to vetting and symlink restrictions. However, development environments, CI/CD pipelines, or build servers that automatically fetch and extract packages from untrusted sources could be compromised. This could affect software supply chain integrity and trustworthiness, leading to broader security incidents if malicious code is introduced into production builds or developer machines.

To mitigate this vulnerability, organizations should upgrade to Dart SDK version 3.11.0 or later and Flutter SDK version 3.41.0 or later, where the path normalization fix is implemented. Avoid using packages from untrusted third-party repositories or sources that may contain malicious archives with symlinks. Enforce strict policies to only allow dependencies from pub.dev or trusted git repositories that do not contain symlinks. Implement file system monitoring on build and development machines to detect unexpected file writes outside designated package cache directories. Consider sandboxing or isolating build environments to limit the impact of any arbitrary file writes. Regularly audit and verify package integrity and provenance before inclusion in projects. Educate developers about the risks of using unvetted packages and the importance of SDK updates. Finally, monitor security advisories from Dart and Flutter projects for any further updates or related vulnerabilities.