CVE-2026-32885 Ddev CVE debrief

Who should care

DDEV users on versions prior to 1.25.2, especially developers, platform engineers, and CI/CD or automation workflows that download or extract archives from remote or user-influenced sources.

Technical summary

The NVD record describes a CWE-22 path traversal issue in pkg/archive/archive.go affecting both Untar() and Unzip(). Because archive extraction occurred without path validation, malicious archive entries could escape the intended destination during extraction. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating network reachability, low attack complexity, no privileges required, and a user interaction requirement.

Defensive priority

Medium; prioritize upgrading promptly if DDEV is used to fetch or extract archives from untrusted, remote, or user-controlled sources.

Recommended defensive actions

• Upgrade DDEV to version 1.25.2 or later.
• Review any workflows that download and extract archives through DDEV and confirm the archive sources are trusted.
• Check local development and automation environments for unexpected file changes after archive extraction.
• If immediate upgrading is not possible, minimize use of the affected archive paths and restrict archive sources to known-good inputs.
• Monitor vendor release notes and the security advisory for any follow-on guidance.

Evidence notes

The official NVD entry states that DDEV versions prior to 1.25.2 are vulnerable and identifies CWE-22 with CVSS 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N). The GitHub security advisory GHSA-x2xq-qhjf-5mvg and the v1.25.2 release tag both point to the fix in DDEV 1.25.2 and provide mitigation context. No KEV entry was supplied in the source corpus.

Official resources