GHSA-x2xq-qhjf-5mvg: DDEV has ZipSlip path traversal in tar and zip archive extraction
mediumvulnerability
security
Summary
DDEV, a local development tool, has a ZipSlip vulnerability (a path traversal flaw where attackers use special path names like '../' to escape the intended extraction directory) in its archive extraction functions. When DDEV extracts tar or zip archives from remote sources, it doesn't validate file paths, allowing attackers to write files anywhere on a developer's machine by crafting malicious archives.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
April 22, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityavailability
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
Affected Packages
github.com/ddev/ddev@< 1.25.2 (fixed: 1.25.2)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-x2xq-qhjf-5mvg
First tracked: April 22, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 72%