CVE-2021-22567

Bidirectional Override in Dart SDK

CVSS 4.6 MEDIUMEPSS 0.6%CWE-284

In short

The Dart SDK doesn't properly handle special Unicode characters that reverse text direction, allowing attackers to hide malicious code in source files that appears harmless to reviewers. This trick can sneak dangerous code past security checks because the code looks safe when viewed normally.

Technical detail

Bidirectional Unicode override characters (CWE-284) in Dart source code can be compiled into different executable behavior than what is visually rendered in editors, enabling an attacker to inject hidden logic that bypasses code review. The vulnerability requires source code access and code reviewer inattention, but results in arbitrary code execution through deceptive presentation of program logic.

Summary generated and translated by AI from the official description.

Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be exploited to get nefarious code passed a code review by appearing benign. An attacker could embed a source that is invisible to a code reviewer that modifies the behavior of a program in unexpected ways.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Affected products

Google LLC · Dart SDK

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md https://github.com/dart-lang/sdk/commit/52519ea8eb4780c468c4c2ed00e7c8046ccfed41