{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32885", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.421Z", "datePublished": "2026-04-22T16:54:47.880Z", "dateUpdated": "2026-04-22T18:35:36.170Z"}, "containers": {"cna": {"title": "DDEV has ZipSlip path traversal in tar and zip archive extraction", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg"}, {"name": "https://github.com/ddev/ddev/releases/tag/v1.25.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/ddev/ddev/releases/tag/v1.25.2"}], "affected": [{"vendor": "ddev", "product": "ddev", "versions": [{"version": "< 1.25.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T16:54:47.880Z"}, "descriptions": [{"lang": "en", "value": "DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go`. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue."}], "source": {"advisory": "GHSA-x2xq-qhjf-5mvg", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:25:23.835580Z", "id": "CVE-2026-32885", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:35:36.170Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32885", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T18:25:23.835580Z"}}}], "references": [{"url": "https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:18:57.479Z"}}], "cna": {"title": "DDEV has ZipSlip path traversal in tar and zip archive extraction", "source": {"advisory": "GHSA-x2xq-qhjf-5mvg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ddev", "product": "ddev", "versions": [{"status": "affected", "version": "< 1.25.2"}]}], "references": [{"url": "https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg", "name": "https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ddev/ddev/releases/tag/v1.25.2", "name": "https://github.com/ddev/ddev/releases/tag/v1.25.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go`. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T16:54:47.880Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32885", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:35:36.170Z", "dateReserved": "2026-03-16T21:03:44.421Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T16:54:47.880Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ddev:ddev:*:*:*:*:*:*:*:*", "matchCriteriaId": "02CC25E0-AC06-4A75-8C5E-609888883FDC", "versionEndExcluding": "1.25.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go`. Downloads and extracts archives from remote sources without path validation. Version 1.25.2 patches the issue."}], "id": "CVE-2026-32885", "lastModified": "2026-05-11T20:33:24.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T17:16:34.770", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/ddev/ddev/releases/tag/v1.25.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.25.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ddev", "source": "cna", "vendor": "ddev"}, "product": "ddev", "vendor": "ddev"}], "analysis": {"en": {"generated_at": "2026-04-27T08:33:51.492878+00:00", "value": {"mitigation_remediation": ["Upgrade DDEV to version 1.25.2 or later to apply the vendor patch.", "Disable or remove any configuration that allows DDEV to download and extract archives from untrusted network sources.", "If an upgrade is not immediately possible, enforce strict directory permissions on the extraction target folder to mitigate potential overwrites."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source DDEV tool used for local PHP and Node.js development environments. All releases prior to version 1.25.2 are susceptible. The 1.25.2 release and later include a patch that sanitises archive extraction.", "description_and_impact": "DDEV contains a path traversal flaw in its Untar() and Unzip() functions when handling archives downloaded from remote sources. The extractor does not validate paths, enabling an attacker who controls the archive to write files to arbitrary locations on the host. By embedding malicious payloads within such an archive, an attacker could achieve remote code execution, consistent with CWE-22.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a local or remote attacker who can supply a crafted archive; once the archive is downloaded, the extraction routine will write potentially harmful files. No publicly reported exploits exist yet, but the lack of path validation poses a notable risk."}}}}, "created": "2026-04-27T18:42:00.089894+00:00", "updated": "2026-04-27T19:53:21.790014+00:00", "vendors": ["ddev", "ddev$PRODUCT$ddev"]}