CVE-2026-22870
Unknown Unknown - Not Provided

Zip Bomb Denial of Service in GuardDog safe_extract() Pre

Vulnerability report for CVE-2026-22870, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: GitHub, Inc.

Description

GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-07-06
AI Q&A
2026-01-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
datadog guarddog to 2.7.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided resources do not contain information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for unusually large disk space consumption caused by extracting ZIP archives, especially those related to GuardDog package extractions. Since the issue involves zip bombs that decompress to gigabytes from small compressed files, you can look for processes extracting ZIP files that cause rapid disk usage growth. Specific commands are not provided in the resources, but general approaches include: 1) Monitoring disk usage with commands like `du -sh` on extraction directories, 2) Using system monitoring tools to detect processes with high disk I/O or unexpected resource consumption during GuardDog usage, and 3) Reviewing GuardDog logs if debug logging is enabled to trace extraction operations and detect failures or warnings related to zip bombs. To mitigate, ensure GuardDog is updated to version 2.7.1 or later, which includes protections against zip bombs. No explicit detection commands are given in the provided resources. [1, 2]

Executive Summary

This vulnerability exists in GuardDog versions prior to 2.7.1, where the safe_extract() function does not validate the size of files after decompressing ZIP archives such as wheels or eggs. This allows attackers to create zip bombsβ€”malicious compressed files that expand to consume very large amounts of disk space from a small compressed size, potentially causing denial of service.

Impact Analysis

An attacker can exploit this vulnerability by distributing a malicious package that, when extracted by GuardDog, consumes gigabytes of disk space from just a few megabytes of compressed data. This can lead to denial of service by exhausting disk resources, potentially disrupting system operations or causing failures.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade GuardDog to version 2.7.1 or later, where the safe_extract() function properly validates decompressed file sizes to prevent zip bomb denial of service attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22870. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart