GHSA-X2XQ-QHJF-5MVG DDEV has ZipSlip path traversal in tar and zip archive extraction

Summary The DDEV local dev tool has unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. This flaw allows users to download and extract archives from remote sources without path validation. Vulnerable Code pkg/archive/archive.go:235 Untar: go fullPath :=...

CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...