Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-22870

GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS
Back to all
CVE

CVE-2026-22870

GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS

Summary

GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data.

Vulnerability Details

Affected Component: guarddog/utils/archives.py - safe_extract() function  

Vulnerability Type: CWE-409 - Improper Handling of Highly Compressed Data (Zip Bomb)  

Severity: HIGH (CVSS ~8)  

Attack Vector: Network (malicious package uploaded to PyPI/npm) or local

Root Cause

The safe_extract() function handles TAR files securely using the tarsafe library, but ZIP file extraction has no size validation:

elif zipfile.is_zipfile(source_archive):
    with zipfile.ZipFile(source_archive, "r") as zip:
        for file in zip.namelist():
            zip.extract(file, path=os.path.join(target_directory, file))

Missing protections:

  • ❌ No decompressed size limit
  • ❌ No compression ratio validation  
  • ❌ No file count limits
  • ❌ No total extracted size validation

Impact

Denial of Service Scenarios

1. CI/CD Pipeline Disruption

  • Attacker publishes malicious package to PyPI
  • Developer adds package to requirements.txt
  • CI/CD runs GuardDog scan
  • Disk fills (GitHub Actions: standard 14GB limit)
  • All deployments blocked

2. Resource Exhaustion

  • Local development environments
  • Security scanning infrastructure  
  • Automated scanning systems
  • Docker containers with limited disk

3. Supply Chain Attack Amplification

  • Single malicious package blocks security scanning
  • Prevents detection of other malicious packages
  • Forces manual intervention
  • Increases security team workload

Recommended Fix

Add size validation for ZIP files similar to what tarsafe provides for TAR files

Configuration Options

Make limits configurable via environment variables or config file

Additional Improvements

  1. Add warning logs when archives approach limits
  2. Provide clear error messages for users
  3. Document limits in user-facing documentation
  4. Add tests for zip bomb detection
  5. Consider using a safe ZIP library (similar to tarsafe)

Credit

Reported by: Charbel (dwbruijn)

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.1
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v, https://nvd.nist.gov/vuln/detail/CVE-2026-22870, https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b, https://github.com/DataDog/guarddog

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00024%
EPSS Percentile
0.06785%
Introduced Version
0
Fix Available
2.7.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading