CVE-2022-3095
Last modified
CVE-2022-3095 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. EPSS estimates a 0.87% chance of exploitation in the next 30 days.
Description
The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Dart | Dart Software Development Kit | < 2.18.0 |
| Flutter | Flutter | < 3.3.3 |
References
- https://github.com/dart-lang/sdk/blob/master/CHANGELOG.md#2182---2022-09-28Release Notes, Third Party Advisory
- https://github.com/dart-lang/sdk/blob/master/CHANGELOG.md#2182---2022-09-28Release Notes, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-3095?
How severe is CVE-2022-3095?
How do I fix CVE-2022-3095?
Are you affected by CVE-2022-3095?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST