CVE-2026-22870
Unknown Unknown - Not Provided
Zip Bomb Denial of Service in GuardDog safe_extract() Pre

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description
GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22870
EUVD
EUVD-2026-2013
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
datadog guarddog to 2.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not contain information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in GuardDog versions prior to 2.7.1, where the safe_extract() function does not validate the size of files after decompressing ZIP archives such as wheels or eggs. This allows attackers to create zip bombsβ€”malicious compressed files that expand to consume very large amounts of disk space from a small compressed size, potentially causing denial of service.

Impact Analysis

An attacker can exploit this vulnerability by distributing a malicious package that, when extracted by GuardDog, consumes gigabytes of disk space from just a few megabytes of compressed data. This can lead to denial of service by exhausting disk resources, potentially disrupting system operations or causing failures.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade GuardDog to version 2.7.1 or later, where the safe_extract() function properly validates decompressed file sizes to prevent zip bomb denial of service attacks.

Detection Guidance

This vulnerability can be detected by monitoring for unusually large disk space consumption caused by extracting ZIP archives, especially those related to GuardDog package extractions. Since the issue involves zip bombs that decompress to gigabytes from small compressed files, you can look for processes extracting ZIP files that cause rapid disk usage growth. Specific commands are not provided in the resources, but general approaches include: 1) Monitoring disk usage with commands like `du -sh` on extraction directories, 2) Using system monitoring tools to detect processes with high disk I/O or unexpected resource consumption during GuardDog usage, and 3) Reviewing GuardDog logs if debug logging is enabled to trace extraction operations and detect failures or warnings related to zip bombs. To mitigate, ensure GuardDog is updated to version 2.7.1 or later, which includes protections against zip bombs. No explicit detection commands are given in the provided resources. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22870. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart