CVE-2024-54462: Unsanitized Filenames in Flutter package image_picker_android Allow File Overwrites

2.1 CVSS

Description

The file names constructed within image_picker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select an image file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.8.12+18. It is recommended to update to the latest version of image_picker_android that contains the changes to address this vulnerability.

Classification

CVE ID: CVE-2024-54462

CVSS Base Severity: LOW

CVSS Base Score: 2.1

Affected Products

Vendor: Flutter

Product: image_picker_android

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.77% (scored less or equal to compared to others)

EPSS Date: 2025-02-28 (when was this score calculated)

References

https://github.com/flutter/packages/security/advisories/GHSA-98v2-f47x-89xw

Timeline

2025-01-30 08:58:44 UTC
CVE

Unsanitized Filenames in Flutter package image_picker_android Allow File Overwrites