CVE-2021-22568

Dart - Publishing to third-party package repositories may expose pub.dev credentials

CVSS 8.8 HIGHEPSS 0.9%CWE-255

In short

When publishing Dart packages to third-party repositories, the pub publish command accidentally sends credentials (OAuth2 tokens) meant for pub.dev to those untrusted servers. An attacker controlling a third-party repository could steal these tokens and impersonate the user on pub.dev to publish malicious packages.

Technical detail

The dart pub client fails to properly scope OAuth2 access tokens when publishing to third-party package repositories, resulting in sensitive pub.dev credentials being transmitted to untrusted servers. An attacker controlling a third-party repository can intercept these tokens during package publication and use them to gain unauthorized access to the user's pub.dev account, enabling arbitrary package publication or account compromise.

Summary generated and translated by AI from the official description.

When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

Affected products

Google LLC · Dart SDK

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/dart-lang/sdk/blob/main/CHANGELOG.md https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7