CVE-2024-54461: Unsanitized Filenames in Flutter package file_selector_android Allow File Overwrites

2.1 CVSS

Description

The file names constructed within file_selector are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select a document file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.5.1+12. It is recommended to update to the latest version of file_selector_android that contains the changes to address this vulnerability.

Classification

CVE ID: CVE-2024-54461

CVSS Base Severity: LOW

CVSS Base Score: 2.1

Affected Products

Vendor: Flutter

Product: file_selector_android

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.77% (scored less or equal to compared to others)

EPSS Date: 2025-02-28 (when was this score calculated)

References

https://github.com/flutter/packages/security/advisories/GHSA-r465-vhm9-7r5h

Timeline

2025-01-30 08:58:44 UTC
CVE

Unsanitized Filenames in Flutter package file_selector_android Allow File Overwrites