What is CVE-2026-32885?

CVE-2026-32885 is a medium severity vulnerability (Path Traversal / ZipSlip (CWE-22)) affecting ddev. It was discovered by security researcher Kai Aizen (SnailSploit).

How severe is CVE-2026-32885?

CVE-2026-32885 is rated as Medium severity with a CVSS score of 6.5. Users should update to the patched version when available.

What software is affected by CVE-2026-32885?

CVE-2026-32885 affects ddev in versions All versions.

How do I fix CVE-2026-32885?

Check the official NVD entry or vendor advisory for CVE-2026-32885 for the latest patching information. Monitor for updates from the plugin developer.

CVE-2026-32885 | Path Traversal (ZipSlip) in ddev

Description

A classic ZipSlip path traversal vulnerability was discovered in ddev, an open-source local development environment tool with 3,000+ GitHub stars used by PHP, Python, and Node.js developers.

The Untar() and Unzip() functions in pkg/archive/archive.go construct file extraction paths using filepath.Join(dest, file.Name) without validating path containment. Go's filepath.Join() resolves ../ sequences in the joined path, allowing archive entries containing traversal sequences like ../../../tmp/malicious to escape the intended destination directory.

Technical Details

Vulnerable Code

The vulnerability exists at two locations in pkg/archive/archive.go (lines 235 and 342). Both the tar and zip extraction functions follow the same insecure pattern:

// Vulnerable pattern — no path containment check
target := filepath.Join(dest, file.Name)
// file.Name can contain "../" sequences that escape dest

Attack Surface

The vulnerable functions are invoked by three ddev operations:

ddev add-on installations — third-party add-on archives are extracted without validation
ddev import-db — database archive imports trigger Untar()/Unzip()
ddev import-files — file archive imports use the same extraction path

Vulnerability Characteristics

Attack Vector: Network — malicious archives delivered via add-ons or imports
Attack Complexity: Low — craft archive with traversal entries
Privileges Required: None
User Interaction: Required — victim must import or install the malicious archive
Scope: Unchanged

Impact Assessment

Integrity: High — arbitrary file write to any location accessible by the ddev process
Confidentiality: None
Availability: None

Successful exploitation enables config overwriting, code injection, and backdoor deployment on the developer's local machine. Given ddev's use in development environments, this could compromise source code repositories and CI/CD pipelines.

Disclosure Timeline

2026-03-10: Vulnerability reported via GitHub Private Vulnerability Reporting
2026-03-10: Maintainer acknowledged and confirmed
2026-03-15: CVE requested
2026-03-17: CVE-2026-32885 assigned (GHSA-x2xq-qhjf-5mvg)

Remediation

Fix is in progress upstream. Until patched, verify archive contents before importing into ddev and only install add-ons from trusted sources.