Description
DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go`. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

DDEV contains a path traversal flaw in its Untar() and Unzip() functions when handling archives downloaded from remote sources. The extractor does not validate paths, enabling an attacker who controls the archive to write files to arbitrary locations on the host. By embedding malicious payloads within such an archive, an attacker could achieve remote code execution, consistent with CWE-22.

Affected Systems

The vulnerability affects the open‑source DDEV tool used for local PHP and Node.js development environments. All releases prior to version 1.25.2 are susceptible. The 1.25.2 release and later include a patch that sanitises archive extraction.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a local or remote attacker who can supply a crafted archive; once the archive is downloaded, the extraction routine will write potentially harmful files. No publicly reported exploits exist yet, but the lack of path validation poses a notable risk.

Generated by OpenCVE AI on April 27, 2026 at 08:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DDEV to version 1.25.2 or later to apply the vendor patch.
  • Disable or remove any configuration that allows DDEV to download and extract archives from untrusted network sources.
  • If an upgrade is not immediately possible, enforce strict directory permissions on the extraction target folder to mitigate potential overwrites.

Generated by OpenCVE AI on April 27, 2026 at 08:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x2xq-qhjf-5mvg DDEV has ZipSlip path traversal in tar and zip archive extraction
History

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ddev:ddev:*:*:*:*:*:*:*:*

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Ddev
Ddev ddev
Vendors & Products Ddev
Ddev ddev

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go`. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue.
Title DDEV has ZipSlip path traversal in tar and zip archive extraction
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Ddev Ddev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T18:35:36.170Z

Reserved: 2026-03-16T21:03:44.421Z

Link: CVE-2026-32885

cve-icon Vulnrichment

Updated: 2026-04-22T18:18:57.479Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T17:16:34.770

Modified: 2026-05-11T20:33:24.183

Link: CVE-2026-32885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:53:21Z

Weaknesses