CVE-2026-22870
Published: 13 January 2026
Summary
CVE-2026-22870 is a high-severity Data Amplification (CWE-409) vulnerability in Datadoghq Guarddog. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limits effects of data amplification from compressed or malicious inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote DoS via crafted zip bomb (resource exhaustion on extraction) directly matching application exploitation for endpoint denial of service.
NVD Description
GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious…
more
package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.
Deeper analysisAI
CVE-2026-22870 is a denial-of-service vulnerability in GuardDog, a CLI tool designed to identify malicious PyPI packages. In versions prior to 2.7.1, the safe_extract() function does not validate decompressed file sizes when extracting ZIP archives, such as Python wheels and eggs. This flaw, classified under CWE-409 (Insufficient Resource Pool), allows attackers to craft zip bombs that expand a few megabytes of compressed data into gigabytes of disk space, exhausting storage resources. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any attacker can exploit this vulnerability remotely by publishing a malicious PyPI package containing a zip bomb. Security practitioners or developers scanning untrusted packages with vulnerable GuardDog instances trigger the extraction process, leading to rapid disk space consumption and potential system denial of service. No user interaction, privileges, or special access is required, making it accessible over the network with low attack complexity.
The vulnerability is addressed in GuardDog version 2.7.1. Official mitigation details are available in the GitHub security advisory at https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v and the fixing commit at https://github.com/DataDog/guarddog/commit/c3fb07b4838945f42497e78b7a02bcfb1e63969b. Users should upgrade to 2.7.1 or later to prevent exploitation.
Details
- CWE(s)