CVE-2024-54461

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-54461
The file names constructed within file_selector are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select a document file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.5.1+12. It is recommended to update to the latest version of file_selector_android that contains the changes to address this vulnerability.

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/flutter/packages/security/advisories/GHSA-r465-vhm9-7r5h Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:flutter:file_selector_android:*:*:*:*:*:*:*:*
History

30 Jul 2025, 00:05

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.1
CPE cpe:2.3:a:flutter:file_selector_android:*:*:*:*:*:*:*:*
CWE CWE-22
First Time Flutter file Selector Android
Flutter
References () https://github.com/flutter/packages/security/advisories/GHSA-r465-vhm9-7r5h - () https://github.com/flutter/packages/security/advisories/GHSA-r465-vhm9-7r5h - Vendor Advisory
Summary
  • (es) Los nombres de archivo creados dentro de file_selector no cumplen con las comprobaciones desinfección, lo que los deja vulnerables a proveedores de documentos maliciosos. Esto puede generar casos en los que un usuario con un proveedor de documentos malicioso instalado pueda seleccionar un archivo de documento de ese proveedor mientras usa su aplicación y podría anular archivos internos en la memoria caché de su aplicación. Problema corregido en 0.5.1+12. Se recomienda actualizar a la última versión de file_selector_android que contiene los cambios para solucionar esta vulnerabilidad.

29 Jan 2025, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-29 12:15

Updated : 2025-07-30 00:05

NVD link : CVE-2024-54461

Mitre link : CVE-2024-54461

CVE.ORG link : CVE-2024-54461

JSON object : View

Products Affected

flutter

  • file_selector_android
CWE
CWE-23

Relative Path Traversal

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')