CVE-2026-22870
GuardDog Zip Bomb Vulnerability in safe_extract() Allows DoS
Description
## Summary GuardDog's `safe_extract()` function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. ## Vulnerability Details **Affected Component:** `guarddog/utils/archives.py` - `safe_extract()` function **Vulnerability Type:** CWE-409 - Improper Handling of Highly Compressed Data (Zip Bomb) **Severity:** HIGH (CVSS ~8) **Attack Vector:** Network (malicious package uploaded to PyPI/npm) or local ### Root Cause The `safe_extract()` function handles TAR files securely using the `tarsafe` library, but ZIP file extraction has no size validation: ```python elif zipfile.is_zipfile(source_archive): with zipfile.ZipFile(source_archive, "r") as zip: for file in zip.namelist(): zip.extract(file, path=os.path.join(target_directory, file)) ``` **Missing protections:** - ❌ No decompressed size limit - ❌ No compression ratio validation - ❌ No file count limits - ❌ No total extracted size validation ## Impact ### Denial of Service Scenarios **1. CI/CD Pipeline Disruption** - Attacker publishes malicious package to PyPI - Developer adds package to requirements.txt - CI/CD runs GuardDog scan - Disk fills (GitHub Actions: standard 14GB limit) - All deployments blocked **2. Resource Exhaustion** - Local development environments - Security scanning infrastructure - Automated scanning systems - Docker containers with limited disk **3. Supply Chain Attack Amplification** - Single malicious package blocks security scanning - Prevents detection of other malicious packages - Forces manual intervention - Increases security team workload ## Recommended Fix Add size validation for ZIP files similar to what `tarsafe` provides for TAR files ### Configuration Options Make limits configurable via environment variables or config file ## Additional Improvements 1. **Add warning logs** when archives approach limits 2. **Provide clear error messages** for users 3. **Document limits** in user-facing documentation 4. **Add tests** for zip bomb detection 5. **Consider using a safe ZIP library** (similar to tarsafe) ## Credit Reported by: Charbel (dwbruijn)
How to fix CVE-2026-22870
To remediate CVE-2026-22870, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.1 or later