Vulnerabilities ›

CVE-2026-22870

High ⚡ Exploit Available

CWE-409 — Weakness Type

                    Published: Jan 13, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.

🤖 AI Executive Summary

GuardDog versions prior to 2.7.1 are vulnerable to zip bomb attacks through improper decompression validation in the safe_extract() function. Attackers can craft malicious PyPI packages that consume excessive disk space, causing denial of service. This vulnerability directly impacts organizations using GuardDog for supply chain security scanning, potentially disabling their malware detection capabilities during critical security operations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 4, 2026 06:19

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations in financial services (SAMA-regulated banks), government agencies (NCA oversight), and technology companies using GuardDog for PyPI package security scanning face operational disruption. Banking sector dependency on automated supply chain security tools makes this particularly critical for ARAMCO's IT operations and STC's software development pipelines. Government entities conducting cybersecurity assessments through GuardDog may experience service unavailability during critical vulnerability scanning windows.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Energy and Utilities Telecommunications Technology and Software Development Healthcare

🎯 MITRE ATT&CK Techniques

T1499 - Endpoint Denial of Service T1499.004 - Application Exhaustion Flood T1657 - Defense Evasion through Supply Chain Compromise T1195.001 - Compromise Software Dependencies

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

1. IMMEDIATE: Upgrade GuardDog to version 2.7.1 or later across all development and security scanning environments

2. Identify all systems running GuardDog versions < 2.7.1 using: pip show guarddog | grep Version

3. Implement temporary compensating control: Configure filesystem quotas on scanning directories to limit disk space consumption per process

4. Monitor disk usage patterns on scanning servers for anomalous spikes indicating zip bomb exploitation

5. Add detection rule: Alert on decompressed file sizes exceeding 100x compressed size during package extraction

6. Review recent GuardDog scan logs for suspicious package behavior or extraction failures

7. Implement network-based controls to restrict PyPI package downloads to vetted sources only

8. Test patch deployment in non-production environment before production rollout

🔧 خطوات المعالجة (العربية)

1. فوري: ترقية GuardDog إلى الإصدار 2.7.1 أو أحدث عبر جميع بيئات التطوير والفحص الأمني

2. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات GuardDog < 2.7.1 باستخدام: pip show guarddog | grep Version

3. تنفيذ تحكم تعويضي مؤقت: تكوين حصص نظام الملفات على أدلة الفحص لتحديد استهلاك مساحة القرص لكل عملية

4. مراقبة أنماط استخدام القرص على خوادم الفحص للكشف عن الارتفاعات الشاذة التي تشير إلى استغلال قنابل الضغط

5. إضافة قاعدة الكشف: تنبيه عند تجاوز أحجام الملفات المستخرجة 100 مرة حجم البيانات المضغوطة أثناء استخراج الحزمة

6. مراجعة سجلات فحص GuardDog الأخيرة للبحث عن سلوك حزمة مريب أو فشل الاستخراج

7. تنفيذ عناصر تحكم قائمة على الشبكة لتقييد تنزيلات حزم PyPI إلى المصادر المعتمدة فقط

8. اختبار نشر التصحيح في بيئة غير الإنتاج قبل نشر الإنتاج

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.2.1 - Monitoring and logging of access

🔵 SAMA CSF

SAMA CSF ID.BE-1 - Business Environment SAMA CSF PR.IP-12 - Software Development and Quality Assurance SAMA CSF DE.CM-1 - Detection Processes and Tools

🟡 ISO 27001:2022

ISO 27001:2022 A.12.2.1 - Monitoring ISO 27001:2022 A.14.2.1 - Secure development policy and procedures ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 11.2 - Vulnerability scanning

🔗 References & Sources 2

🔗

https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b

security-advisories@github.com

Patch

🔗

https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v

security-advisories@github.com

Third Party Advisory Exploit

📦 Affected Products / CPE 1 entries

datadoghq:guarddog

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityN — None / Network

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-409

EPSS0.07%

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-01-13

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

exploit-available patch-available CWE-409

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-22870

💬 Comments

Introduce Yourself

Sign In Required