DDEV has ZipSlip path traversal in tar and zip archive extraction

Summary The DDEV local dev tool has unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. This flaw allows users to download and extract archives from remote sources without path validation. Vulnerable Code pkg/archive/archive.go:235 Untar: go fullPath :=...

GHSA-X2XQ-QHJF-5MVG DDEV has ZipSlip path traversal in tar and zip archive extraction

Summary The DDEV local dev tool has unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. This flaw allows users to download and extract archives from remote sources without path validation. Vulnerable Code pkg/archive/archive.go:235 Untar: go fullPath :=...

CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

CVE-2026-32885 DDEV has ZipSlip path traversal in tar and zip archive extraction

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

CVE-2026-32885 DDEV has ZipSlip path traversal in tar and zip archive extraction

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

PT-2026-34524

Name of the Vulnerable Software and Affected Versions DDEV versions prior to 1.25.2 Description DDEV is an open-source tool for running local web development environments for PHP and Node.js. The software performs unsanitized extraction of archives from remote sources without path validation with...

📄 ddev ZipSlip Path Traversal

A ZipSlip path traversal vulnerability exists in the ddev/ddev project, affecting archive extraction routines. The issue allows a crafted ZIP archive to write files outside the intended extraction directory, potentially leading to arbitrary file overwrite on the host system...

📄 ddev/ddev ZipSlip Path Traversal

A ZipSlip path traversal vulnerability exists in ddev/ddev, a popular open-source local development tool for PHP, Python, and Node.js projects. Both the Untar and Unzip functions in pkg/archive/archive.go use filepath.Joindest, file.Name without any path containment validation, allowing a crafted...

ddev (>=1.4.2 <=2.1.0), hoppr (>=1.7.0 <=1.13.2) +2 more potentially affected by unknown CVE via in-toto (>=1.0.1 <=1.4.0)

in-toto PYPI version =1.0.1, =1.4.2, =1.7.0, =1.0.18, =1.4.9 - hoppr-openssf-scorecard =0.0.1 Source cves: unknown CVE Source advisory: OSV:GHSA-JJGP-WHRP-GQ8M...

ddev (>=1.4.2 <=2.1.0), hoppr (>=1.7.0 <=1.13.2) +2 more potentially affected by CVE-2023-32076 via in-toto (>=1.0.1 <=1.4.0)

in-toto PYPI version =1.0.1, =1.4.2, =1.7.0, =1.0.18, =1.4.9 - hoppr-openssf-scorecard =0.0.1 Source cves: CVE-2023-32076 Source advisory: OSV:GHSA-WC64-C5RV-32PF...

ddev (>=1.4.2 <=2.1.0), hoppr (>=1.7.0 <=1.13.2) +2 more potentially affected by CVE-2023-32076 via in-toto (>=1.0.1 <=1.4.0)

in-toto PYPI version =1.0.1, =1.4.2, =1.7.0, =1.0.18, =1.4.9 - hoppr-openssf-scorecard =0.0.1 Source cves: CVE-2023-32076 Source advisory: OSV:PYSEC-2023-63...