CVE-2026-32885 PUBLISHED

DDEV has ZipSlip path traversal in tar and zip archive extraction

Assigner: GitHub_M
Reserved: 16.03.2026 Published: 22.04.2026 Updated: 22.04.2026

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar() and Unzip() functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	ddev
Product	ddev
Versions	Version < 1.25.2 is affected

References

https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg
https://github.com/ddev/ddev/releases/tag/v1.25.2

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE