CVE-2024-54461 – This vulnerability in the file_selector package... (How to Fix)

📋 TL;DR

This vulnerability in the file_selector package allows malicious document providers to manipulate file names, potentially overriding internal app cache files. It affects Flutter apps using vulnerable versions of file_selector_android on Android devices. Users with malicious document providers installed are at risk.

💻 Affected Systems

Products:

file_selector_android (Flutter package)

Versions: Versions before 0.5.1+12

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Flutter apps using the vulnerable file_selector_android package on Android. Requires user to have malicious document provider installed.

📦 What is this software?

File Selector Android by Flutter

View all CVEs affecting File Selector Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious document provider could overwrite critical app cache files, leading to data corruption, app crashes, or potential code execution within app context.

🟠

Likely Case

Malicious document provider could manipulate file operations to access or modify app data, potentially exposing sensitive information stored in cache.

🟢

If Mitigated

With proper input validation and file path sanitization, the vulnerability is prevented, maintaining normal app functionality.

🌐 Internet-Facing: LOW - This requires user interaction with malicious document provider, not direct internet exploitation.

🏢 Internal Only: MEDIUM - Requires user to install and use malicious document provider, which could occur through social engineering or compromised app stores.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user to install malicious document provider and use it within vulnerable app. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.1+12 or later

Vendor Advisory: https://github.com/flutter/packages/security/advisories/GHSA-r465-vhm9-7r5h

Restart Required: No

Instructions:

1. Update pubspec.yaml to use file_selector_android: ^0.5.1+12
2. Run 'flutter pub get'
3. Rebuild and redeploy your Flutter application

🔧 Temporary Workarounds

Implement custom file path validation

all

Add manual sanitization checks for file paths before processing in your app code

// Add validation logic in your file handling code
// Check for path traversal attempts and malicious characters

🧯 If You Can't Patch

Restrict app permissions to minimize cache access
Implement runtime file path validation and monitoring

🔍 How to Verify

Check if Vulnerable:

Check pubspec.lock for file_selector_android version below 0.5.1+12

Check Version:

grep file_selector_android pubspec.lock

Verify Fix Applied:

Verify file_selector_android version is 0.5.1+12 or higher in pubspec.lock

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in app cache
File operations with suspicious path characters

Network Indicators:

No network indicators - local file system vulnerability

SIEM Query:

App logs showing file operations with ../ or other path traversal patterns

📊 Metadata

CVE ID: CVE-2024-54461

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE: CWE-23

EPSS Score: 0.01% exploit probability (0.5th percentile)

Published: January 29, 2025

Last Updated: July 30, 2025

🔗 References

https://github.com/flutter/packages/security/advisories/GHSA-r465-vhm9-7r5h Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54461, you might also want to check these: