Dart and Flutter SDK Zip Slip Vulnerability in Package Extraction

A zip slip vulnerability has been identified in the Dart and Flutter SDKs, allowing malicious package archives to be extracted outside the intended directory in the pub cache. This issue affects Dart SDK versions prior to 3.11.0 and Flutter SDK versions prior to 3.41.0. The vulnerability arises when the pub client (`dart pub` or `flutter pub`) extracts packages, as an attacker can exploit symlinks that traverse up the directory structure to write files outside the designated destination.

Impact

Exploitation of this vulnerability could lead to unauthorized file extraction outside the intended directory, potentially allowing malicious files to be placed in sensitive locations.

Reproduction

The vulnerability can be reproduced by creating a package archive that includes a symlink pointing to a parent directory, combined with a payload file that traverses up from that directory. When this archive is extracted using the pub client, the files can be written outside the intended destination, effectively bypassing normal directory restrictions.

Remediation

Users can update to Dart SDK version 3.11.0 or Flutter SDK version 3.41.0, both of which include the necessary patch. For those using dependencies from pub.dev, trusted third-party repositories, or git dependencies, no action is needed.