CVE-2026-32885 | Path Traversal (ZipSlip) in ddev

TL;DR

A classic ZipSlip path traversal vulnerability was discovered inddev, an open-source local development environment tool with 3,000+ GitHub stars used by PHP, Python, and Node.js developers.

CVE Disclosures →

Description

A classic ZipSlip path traversal vulnerability was discovered in ddev, an open-source local development environment tool with 3,000+ GitHub stars used by PHP, Python, and Node.js developers.

The Untar() and Unzip() functions in pkg/archive/archive.go construct file extraction paths using filepath.Join(dest, file.Name) without validating path containment. Go's filepath.Join() resolves ../ sequences in the joined path, allowing archive entries containing traversal sequences like ../../../tmp/malicious to escape the intended destination directory.

Technical Details

Vulnerable Code

The vulnerability exists at two locations in pkg/archive/archive.go (lines 235 and 342). Both the tar and zip extraction functions follow the same insecure pattern:

// Vulnerable pattern — no path containment check
target := filepath.Join(dest, file.Name)
// file.Name can contain "../" sequences that escape dest

Attack Surface

The vulnerable functions are invoked by three ddev operations:

ddev add-on installations — third-party add-on archives are extracted without validation
ddev import-db — database archive imports trigger Untar()/Unzip()
ddev import-files — file archive imports use the same extraction path

Vulnerability Characteristics

Attack Vector: Network — malicious archives delivered via add-ons or imports
Attack Complexity: Low — craft archive with traversal entries
Privileges Required: None
User Interaction: Required — victim must import or install the malicious archive
Scope: Unchanged

Impact Assessment

Integrity: High — arbitrary file write to any location accessible by the ddev process
Confidentiality: None
Availability: None

Successful exploitation enables config overwriting, code injection, and backdoor deployment on the developer's local machine. Given ddev's use in development environments, this could compromise source code repositories and CI/CD pipelines.

Disclosure Timeline

2026-03-10: Vulnerability reported via GitHub Private Vulnerability Reporting
2026-03-10: Maintainer acknowledged and confirmed
2026-03-15: CVE requested
2026-03-17: CVE-2026-32885 assigned (GHSA-x2xq-qhjf-5mvg)

Remediation

Fix is in progress upstream. Until patched, verify archive contents before importing into ddev and only install add-ons from trusted sources.

Discovered by: Kai Aizen (SnailSploit)

CVE-2026-32809 Symlink Resolution in ouch CVE-2026-33693 SSRF in activitypub-federation-rust CVE-2026-3288 Config Injection in ingress-nginx CVE-2025-9776 SQL Injection in CatFolders