GuardDog Down: The Irony of Safety Tools Choking on Zip Bombs
Jan 14, 2026·5 min read·8 visits
Executive Summary (TL;DR)
GuardDog versions prior to 2.7.1 contain a vulnerability in the `safe_extract()` function where highly compressed ZIP archives are unpacked without size validation. This allows an attacker to trigger a Denial of Service (DoS) via disk exhaustion. The fix involves pre-calculating uncompressed sizes and enforcing compression ratios.
DataDog's GuardDog, a tool meant to protect developers from malicious packages, was itself vulnerable to a classic denial-of-service attack: the Zip Bomb. By feeding it a specially crafted archive, an attacker could force the scanner to exhaust all available disk space, crashing CI/CD pipelines and freezing development environments.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
guarddog DataDog | < 2.7.1 | 2.7.1 |
| Attribute | Detail |
|---|---|
| CWE | CWE-409 (Improper Handling of Highly Compressed Data) |
| CVSS v4.0 | 7.1 (High) |
| Attack Vector | Network |
| Impact | Denial of Service (Disk Exhaustion) |
| Patch Commit | c3fb07b4838945f42497e78b7a02bcfb1e63969b |
| Vulnerable Function | safe_extract() |
MITRE ATT&CK Mapping
The software does not properly handle data that is compressed or encoded in a way that allows for a high ratio of compression, enabling an attacker to cause a denial of service by consuming excessive resources.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.