Path Traversal Vulnerability in DDEV Open-Source Tool for PHP and Node.js
CVE-2026-32885

6.5MEDIUM

Key Information:

Vendor: Ddev
Status: Ddev
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-32885?

DDEV, an open-source tool for local web development environments tailored for PHP and Node.js, is susceptible to a path traversal vulnerability in its Untar() and Unzip() functions. This flaw arises due to unsanitized extraction processes that download and extract archives from remote sources without proper path validation, potentially allowing malicious users to exploit the system. Users are advised to upgrade to version 1.25.2 or newer, which addresses and patches this critical issue.

Affected Version(s)

ddev < 1.25.2

References

https://github.com/ddev/ddev/security/advisories/GHSA-x2x...

x_refsource_CONFIRM

https://github.com/ddev/ddev/releases/tag/v1.25.2

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 16, 2026

CVE-2026-32885 Data

JSON

Ddev

What is CVE-2026-32885?

Affected Version(s)

References

CVSS V3.1

Timeline