What is the severity of CVE-2026-22870?

CVE-2026-22870 has a CVSS v3 score of 7.5, which is classified as High severity.

Is there an exploit available for CVE-2026-22870?

Yes, there are known exploits available for CVE-2026-22870. Immediate patching is recommended.

Is there a patch available for CVE-2026-22870?

Yes, patches are available for CVE-2026-22870. Check the vendor advisories for update instructions.

CVE-2026-22870

Published: January 27, 2026

Last updated:6 hours ago (January 27, 2026)

Exploit: YesZero-day: NoPatch: YesTrend: Neutral

TL;DR

Updated January 27, 2026

CVE-2026-22870 is a high severity vulnerability with a CVSS score of 7.5. Exploits are available; patches have been released and should be applied urgently.

Key Points

1High severity (CVSS 7.5/10)
2Public exploits are available
3Vendor patches are available
4Strobes Priority Score: 487/1000 (Medium)
5Affects products from: Datadoghq

Severity Scores

CVSS v37.5

CVSS v20.0

Priority Score487.0

EPSS Score0.0

High

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

7.5

CVSS

Yes

Exploit

Yes

Patch

Medium Priority

exploit exists

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data.

Vulnerability Details

Affected Component: guarddog/utils/archives.py - safe_extract() function
Vulnerability Type: CWE-409 - Improper Handling of Highly Compressed Data (Zip Bomb)
Severity: HIGH (CVSS ~8)
Attack Vector: Network (malicious package uploaded to PyPI/npm) or local

Root Cause

The safe_extract() function handles TAR files securely using the tarsafe library, but ZIP file extraction has no size validation:

elif zipfile.is_zipfile(source_archive):
    with zipfile.ZipFile(source_archive, "r") as zip:
        for file in zip.namelist():
            zip.extract(file, path=os.path.join(target_directory, file))

Missing protections:

❌ No decompressed size limit
❌ No compression ratio validation
❌ No file count limits
❌ No total extracted size validation

Impact

Denial of Service Scenarios

1. CI/CD Pipeline Disruption

Attacker publishes malicious package to PyPI
Developer adds package to requirements.txt
CI/CD runs GuardDog scan
Disk fills (GitHub Actions: standard 14GB limit)
All deployments blocked

2. Resource Exhaustion

Local development environments
Security scanning infrastructure
Automated scanning systems
Docker containers with limited disk

3. Supply Chain Attack Amplification

Single malicious package blocks security scanning
Prevents detection of other malicious packages
Forces manual intervention
Increases security team workload

Recommended Fix

Add size validation for ZIP files similar to what tarsafe provides for TAR files

Configuration Options

Make limits configurable via environment variables or config file

Additional Improvements

Add warning logs when archives approach limits
Provide clear error messages for users
Document limits in user-facing documentation
Add tests for zip bomb detection
Consider using a safe ZIP library (similar to tarsafe)

Credit

Reported by: Charbel (dwbruijn)

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Unchanged

Confidentiality:Network

Integrity:Network

Availability:High

Exploit References

Security [email protected]

Patch References

Github.com

Trend Analysis

Neutral

Vulnerable Products

Vendor	Product
Datadoghq	Guarddog

Advisories

GitHub Advisory

NVD: GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.

Cite This Page

APA Format

Strobes VI. (2026). CVE-2026-22870 - CVE Details and Analysis. Strobes VI. Retrieved January 28, 2026, from https://vi.strobes.co/cve/CVE-2026-22870

Quick copy link + title

Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.

Vulnerability Details

Root Cause

The safe_extract() function handles TAR files securely using the tarsafe library, but ZIP file extraction has no size validation:

elif zipfile.is_zipfile(source_archive): with zipfile.ZipFile(source_archive, "r") as zip: for file in zip.namelist(): zip.extract(file, path=os.path.join(target_directory, file))

Missing protections:

❌ No decompressed size limit

❌ No compression ratio validation

❌ No file count limits

❌ No total extracted size validation

Impact

Denial of Service Scenarios

1. CI/CD Pipeline Disruption

Attacker publishes malicious package to PyPI

Developer adds package to requirements.txt

CI/CD runs GuardDog scan

Disk fills (GitHub Actions: standard 14GB limit)

All deployments blocked

2. Resource Exhaustion

Local development environments

Security scanning infrastructure

Automated scanning systems

Docker containers with limited disk

3. Supply Chain Attack Amplification

Single malicious package blocks security scanning

Prevents detection of other malicious packages

Forces manual intervention

Increases security team workload

Vendor

Product

Datadoghq

Guarddog