Dart http_server Directory Listing virtual_directory.dart VirtualDirectory cross site scripting
Description
A vulnerability was found in Dart http_server up to 0.9.5 and classified as problematic. Affected by this issue is the function VirtualDirectory of the file lib/src/virtual_directory.dart of the component Directory Listing Handler. The manipulation of the argument request.uri.path leads to cross site scripting. The attack may be launched remotely. Upgrading to version 0.9.6 is able to address this issue. The name of the patch is 27c1cbd8125bb0369e675eb72e48218496e48ffb. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225356.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=0.9.5
- Dart/http_serverv5Range: 0.9.0
Patches
Vulnerability mechanics
Root cause
"The VirtualDirectory function improperly handles URI paths, allowing for the injection of malicious script content."
Attack vector
An attacker can exploit this vulnerability by manipulating the `request.uri.path` argument when interacting with the Directory Listing Handler. This manipulation can lead to the execution of arbitrary JavaScript code within the user's browser, as demonstrated by the inclusion of payloads like `alert('hacked!');` in directory names [ref_id=1]. The attack can be launched remotely.
Affected code
The vulnerability resides within the `VirtualDirectory` function located in the file `lib/src/virtual_directory.dart`. The commit `27c1cbd8125bb0369e675eb72e48218496e48ffb` specifically modifies how directory paths are handled and displayed to prevent script execution [patch_id=4373542].
What the fix does
The patch addresses the cross-site scripting vulnerability by properly encoding special characters within the URI path before rendering them in the directory listing. For example, a forward slash '/' is now rendered as '/' and other characters like '<', '>', '&', and '
Preconditions
- configThe `allowDirectoryListing` property of `VirtualDirectory` must be enabled.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/dart-archive/http_server/commit/27c1cbd8125bb0369e675eb72e48218496e48ffbmitrepatch
- github.com/dart-archive/http_server/releases/tag/0.9.6mitrepatch
- codereview.chromium.org/225813002mitrerelated
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.