Approved changes feed: RSS · Atom

cpe:2.3:a:dart:dart_software_development_kit:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorDart (b61cf075-66fe-5a87-b69f-f3877bd91330)
ProductDart Software Development Kit (1596cd6d-511f-529f-93a6-a5a9f01eacd5)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/dart-lang/sdk purl2cpe 2026-06-01 10:15:12.532689

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-27704 vulnerable 2026-06-08 07:53:22.901346 Dart SDK and Flutter SDK have Zip slip in Dart Pub package extraction
The Dart and Flutter SDKs provide software development kits for the Dart programming language. In versions of the Dart SDK prior to 3.11.0 and the Flutter SDK prior to version 3.41.0, when the pub client (`dart pub` and `flutter pub`) extracts a package in the pub cache, a malicious package archive can have files extracted outside the destination directory in the `PUB_CACHE`. A fix has been landed in commit 26c6985c742593d081f8b58450f463a584a4203a. By normalizing the file path before writing file, the attacker can no longer traverse up via a symlink. This patch is released in Dart 3.11.0 and Flutter 3.41.0.vAll packages on pub.dev have been vetted for this vulnerability. New packages are no longer allowed to contain symlinks. The pub client itself doesn't upload symlinks, but duplicates the linked entry, and has been doing this for years. Those whose dependencies are all from pub.dev, third-party repositories trusted to not contain malicious code, or git dependencies are not affected by this vulnerability.
Published: 2026-02-25T15:17:26.243Z
Updated: 2026-02-25T20:27:35.486Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-3095 vulnerable 2026-06-08 05:47:19.429725 Incorrect parsing of the backslash characters in Dart library
CRITICAL (9.8)
The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.
Published: 2022-10-27T00:00:00.000Z
Updated: 2025-04-21T13:47:41.466Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-0451 vulnerable 2026-06-08 05:39:10.090412 Auth bypass in Dark SDK
MEDIUM (6.5)
Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond.
Published: 2022-02-18T13:35:11.903Z
Updated: 2025-04-21T13:56:39.087Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-22568 vulnerable 2026-06-08 05:30:00.883340 Dart - Publishing to third-party package repositories may expose pub.dev credentials
HIGH (8.8)
When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0
Published: 2021-12-09T17:05:12.000Z
Updated: 2024-08-03T18:44:14.137Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-22567 vulnerable 2026-06-08 05:30:00.882948 Bidirectional Override in Dart SDK
MEDIUM (4.6)
Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be exploited to get nefarious code passed a code review by appearing benign. An attacker could embed a source that is invisible to a code reviewer that modifies the behavior of a program in unexpected ways.
Published: 2022-01-05T10:55:11.851Z
Updated: 2025-04-21T13:57:18.231Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-22540 vulnerable 2026-06-08 05:30:00.827064 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2020-8923 vulnerable 2026-06-08 05:27:19.963793 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.