Impact

A malicious third-party package repository may impersonate a user on pub.dev for up to one hour after the user has published a package to that third-party package repository using dart pub publish.

When publishing Dart packages to third-party package repositories using dart pub publish, Dart SDKs prior to 2.15.0 will authorize the request using an OAuth2 access_token intended for authentication with pub.dev. Thus, a malicious third-party package repository could use this access_token to impersonate the user on pub.dev. The access_token is usually only valid for up to one hour, but an attacker could persist access by using the access_token to obtain uploader permissions.

This only affects users who publish packages to a third-party package repository by:

1. Specifying publish_to: https://my-pub-server.com/ in pubspec.yaml and publishing using dart pub publish;
2. Defining environment variable PUB_HOSTED_URL=https://my-pub-server.com/ and publishing using dart pub publish; or;
3. Publishing using dart pub publish --server https://my-pub-server.com/.

Patches

This is fixed as of Dart SDK version 2.15.0.

As of Dart SDK version 2.15.0 requests to third-party package repositories will no longer include an OAuth2 access_token intended for pub.dev. Requests to third-party package repositories can be authenticated using opaque tokens passed to the Dart SDK using dart pub token add https://my-pub-server.com.

Workarounds

Avoid publishing to untrusted third-party package repositories with dart pub publish using a Dart SDK prior to 2.15.0.

Mitigations

If you've published a package to a third-party package repository, consider doing an audit of all your account activity on the pub.dev public package repository. You can use the pub.dev activity log for this.

References

• Fixed in dart-lang/pub@bbdac80
• Documentation of use of third-party package repositories.
• Documentation of dart pub token for authentication with third-party package repositories.
• Package Repository Specification version 2.