Skip to content
snailsploit[$]
live
Home/Research/CVEs/CVE-2026-32885 | Path Traversal (ZipSlip) in ddev
2 min read

CVE-2026-32885 | Path Traversal (ZipSlip) in ddev

CVE-2026-32885: ZipSlip path traversal in ddev local development tool. Malicious archives escape extraction directory via Untar/Unzip. CVSS 6.5 Medium.

TL;DR
A classic ZipSlip path traversal vulnerability was discovered inddev, an open-source local development environment tool with 3,000+ GitHub stars used by PHP, Python, and Node.js developers.
CVE Disclosures →

Description

A classic ZipSlip path traversal vulnerability was discovered in ddev, an open-source local development environment tool with 3,000+ GitHub stars used by PHP, Python, and Node.js developers.

The Untar() and Unzip() functions in pkg/archive/archive.go construct file extraction paths using filepath.Join(dest, file.Name) without validating path containment. Go's filepath.Join() resolves ../ sequences in the joined path, allowing archive entries containing traversal sequences like ../../../tmp/malicious to escape the intended destination directory.

Technical Details

Vulnerable Code

The vulnerability exists at two locations in pkg/archive/archive.go (lines 235 and 342). Both the tar and zip extraction functions follow the same insecure pattern: 

// Vulnerable pattern — no path containment check
target := filepath.Join(dest, file.Name)
// file.Name can contain "../" sequences that escape dest

Attack Surface

The vulnerable functions are invoked by three ddev operations:

  • ddev add-on installations — third-party add-on archives are extracted without validation
  • ddev import-db — database archive imports trigger Untar()/Unzip()
  • ddev import-files — file archive imports use the same extraction path

Vulnerability Characteristics

  • Attack Vector: Network — malicious archives delivered via add-ons or imports
  • Attack Complexity: Low — craft archive with traversal entries
  • Privileges Required: None
  • User Interaction: Required — victim must import or install the malicious archive
  • Scope: Unchanged

Impact Assessment

  • Integrity: High — arbitrary file write to any location accessible by the ddev process
  • Confidentiality: None
  • Availability: None

Successful exploitation enables config overwriting, code injection, and backdoor deployment on the developer's local machine. Given ddev's use in development environments, this could compromise source code repositories and CI/CD pipelines.

Disclosure Timeline

  • 2026-03-10: Vulnerability reported via GitHub Private Vulnerability Reporting
  • 2026-03-10: Maintainer acknowledged and confirmed
  • 2026-03-15: CVE requested
  • 2026-03-17: CVE-2026-32885 assigned (GHSA-x2xq-qhjf-5mvg)

Remediation

Fix is in progress upstream. Until patched, verify archive contents before importing into ddev and only install add-ons from trusted sources.

Discovered by: Kai Aizen (SnailSploit)

Related
2026-03-11
Linux Kernel io_uring/zcrx: Race Condition to Double-Free
Race condition in io_uring zerocopy receive (zcrx) — non-atomic user_refs operations cause double-free and out-of-bounds write. Kernel fix b…
2025-08-09
Zero-Trust Container Runtime Attestation
Implementing zero-trust principles in container runtime environments. Runtime attestation strategies, security architecture, and hardening t…
2025-03-02
Advanced Container Escapes: Security Deep Dive
Deep technical analysis of container escape techniques — namespace breakouts, capability abuse, kernel exploits, and principle-based prevent…
cite this work
BibTeX 
@misc{aizen2026cve,
  author = {Aizen, Kai},
  title  = {CVE-2026-32885 | Path Traversal (ZipSlip) in ddev},
  year   = {2026},
  url    = {https://snailsploit.com/security-research/cves/cve-2026-32885/},
  note   = {snailsploit.com}
}
APA

Aizen, K. (2026). CVE-2026-32885 | Path Traversal (ZipSlip) in ddev. snailsploit.com. https://snailsploit.com/security-research/cves/cve-2026-32885/

MLA

Aizen, Kai. "CVE-2026-32885 | Path Traversal (ZipSlip) in ddev." snailsploit, 2026, https://snailsploit.com/security-research/cves/cve-2026-32885/.

Chicago

Aizen, Kai. "CVE-2026-32885 | Path Traversal (ZipSlip) in ddev." snailsploit (blog). 2026. https://snailsploit.com/security-research/cves/cve-2026-32885/.

Permalink: https://snailsploit.com/security-research/cves/cve-2026-32885/
disclosure context
all disclosures
CVE Ledger →
66 published CVEs across container, web, OSS, kernel
advisories
GHSA disclosures →
coordinated security advisories
engage
Pen Testing →
same methodology, your stack
Author
Kai Aizen
Independent Adversarial · Research group. 66 published CVEs, 5 Linux kernel mainline patches, creator of AATMF / P.R.O.M.P.T / SEF, author of Adversarial Minds.
aboutservicesresearchgate
Quick facts
ID
CVE-2026-32885
Product
ddev
Severity
6.5 · Medium
Class
CWE-22
References: NVD · MITRE · snailsploit CVE ledger
Frequently asked

CVE-2026-32885 — questions & answers

What is CVE-2026-32885?

CVE-2026-32885 is a disclosed vulnerability (Path Traversal (ZipSlip)) in ddev, coordinated through the standard CVE process by independent security researcher Kai Aizen.

Am I affected by CVE-2026-32885?

You are affected if your environment runs an unpatched version of ddev. Check the upstream advisory or NVD record for the precise affected version range, then verify against your deployed version.

How do I fix CVE-2026-32885?

Upgrade ddev to the version that includes the upstream fix referenced in the NVD record. If an immediate upgrade is not possible, apply the mitigation guidance from the vendor advisory and restrict exposure of the affected surface area.

What is the impact of CVE-2026-32885?

CVSS — · Pending. The vulnerability class is Path Traversal (ZipSlip); consult the NVD and vendor advisory for vector details, exploitation prerequisites, and observed impact.

Where can I find authoritative references?

NVD record at https://nvd.nist.gov/vuln/detail/CVE-2026-32885, the MITRE CVE record at https://www.cve.org/CVERecord?id=CVE-2026-32885, and the vendor's security advisory page.