The file names constructed within image_picker are missing sanitization checks leaving them vulnerable to malicious document providers. This may result in cases where a user with a malicious document provider installed can select an image file from that provider while using your app and could potentially override internal files in your app cache. Issue patched in 0.8.12+18. It is recommended to update to the latest version of image_picker_android that contains the changes to address this vulnerability.
Conclusion & alert: CVE-2024-54462 is rated Low Risk (11.6/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.19%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.04% | 0.19% | +0.15% |
| 2 | 2025-01-30 | — | 0.04% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 2.1 | 4.0 | LOW |
|
— | — | [email protected] |
| 7.1 | 3.1 | HIGH |
|
1.8 | 5.2 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| flutter | image_picker_android | >= 0.8.5\+6, < 0.8.12\+18 | cpe:2.3:a:flutter:image_picker_android:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/flutter/packages/security/advisories/GHSA-98v2-f47x-89xw | Vendor Advisory |