CVE-2026-22870

GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS

Description

GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.

INFO

Published Date :

2026-01-13T20:43:43.132Z

Last Modified :

2026-01-13T21:23:53.024Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-22870 vulnerability.

Vendors	Products
Datadoghq	Guarddog

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22870.

URL	Resource
https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b
https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact