A critical vulnerability has been discovered in the PubNet self-hosted Dart & Flutter package service. This flaw allows an unauthenticated attacker to upload software packages while impersonating any legitimate user, creating a significant risk of a supply chain attack. Successful exploitation could lead to widespread system compromise for any downstream users who download and install the malicious packages.

The vulnerability exists within the /api/storage/upload API endpoint, which fails to perform proper authentication and authorization checks. An unauthenticated attacker can craft a request to this endpoint to upload a new package and include an arbitrary author-id value in the request. The application incorrectly trusts this user-supplied value, associating the uploaded package with the specified author without verifying the identity of the person making the request. This allows an attacker to impersonate any user on the system, including administrators or highly trusted developers, and publish malicious code under their name.

This vulnerability is rated as critical severity with a CVSS score of 9.4, reflecting the high potential for widespread damage. Exploitation can lead to a severe supply chain attack, where attackers replace legitimate software packages with malicious versions containing backdoors, ransomware, or data exfiltration malware. If an organization relies on this internal PubNet instance for software development, all projects and systems that consume a compromised package could be breached, leading to significant data loss, financial damage, operational disruption, and severe reputational harm.

Immediate Action: Immediately update all instances of PubNet to version 1.1.3 or later, as this version contains the patch for the vulnerability. After patching, review server access logs for any suspicious POST requests to the /api/storage/upload endpoint originating from unknown IP addresses to identify potential past exploitation.

Proactive Monitoring: Implement continuous monitoring of application and web server logs. Specifically, create alerts for any unauthenticated requests to the /api/storage/upload endpoint. Monitor for unusual package upload patterns, such as a developer publishing a package from an unrecognized IP address or at an unusual time.

Compensating Controls: If immediate patching is not feasible, restrict network access to the /api/storage/upload endpoint to only trusted, internal IP addresses or require users to connect via a VPN. Implementing a Web Application Firewall (WAF) with a specific rule to block unauthenticated access to this endpoint can also serve as a temporary mitigating control.

Public Exploit Available: false

Given the critical CVSS score of 9.4 and the direct threat of a supply chain attack, this vulnerability poses an immediate and severe risk to the organization. We strongly recommend that all affected PubNet instances be updated to version 1.1.3 or later with the highest priority. Additionally, a thorough audit of recently published or updated packages should be conducted to ensure no malicious code was injected prior to applying the patch.