Skip to main content

ciguard CVE-2026-44219

LOW
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-05 https://github.com/Jo-Jo98/ciguard GHSA-xw8c-rrvx-f7xq
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Severity Changed
May 12, 2026 - 20:22 NVD
MEDIUM LOW
CVSS changed
May 12, 2026 - 20:22 NVD
3.7 (MEDIUM) 3.7 (LOW)
Source Code Evidence Fetched
May 05, 2026 - 23:01 vuln.today
Analysis Generated
May 05, 2026 - 23:01 vuln.today

DescriptionGitHub Advisory

Summary

Both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory.

Threat scenario

ciguard process memory exhaustion → OOM kill or system swap thrash. Realistic when ciguard runs in CI with a limited memory budget (typical: 4-8 GB). No data integrity or confidentiality impact.

Realism caveat: both URLs are hardcoded HTTPS, so this is a low-realism threat (HTTPS prevents MITM unless the attacker controls a trusted CA or hijacks DNS in a way that doesn't trigger cert validation). The unbounded read is structural defence-in-depth, not a directly exploitable bug today.

Patch

  • New MAX_RESPONSE_BYTES = 5 * 1024 * 1024 (5 MB) constant in both modules.
  • body = resp.read(MAX_RESPONSE_BYTES + 1) with overflow check returns None (caller falls back to stale cache).
  • 3 regression tests in tests/test_sca_rules.py::TestSCAResponseSizeCap.

Discovery

Found during ciguard's first self-conducted pentest cycle, 2026-04-26.

CVSS Scoring

  • CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L - 3.7 (Low)
  • CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N - first.org calc 3.1 (Low); GitHub's calc 6.3 (Medium). Vector is correct - choosing v3.1 as the structured score keeps the consistent Low rating across consumers.

Reproduction

Monkey-patch urllib.request.urlopen to return a fake 50 MB response; observe memory growth before/after the call. Pre-fix: process memory grows by ~50 MB. Post-fix: _fetch returns None, memory growth bounded to MAX_RESPONSE_BYTES.

Resources

AnalysisAI

ciguard SCA HTTP clients in osv.py and endoflife.py exhaust process memory by reading unbounded response bodies from OSV.dev and endoflife.date without enforcing a size cap. A hostile or compromised backend service, or a successful TLS MITM attack, could return multi-gigabyte responses causing denial of service via out-of-memory kill or system swap exhaustion in CI environments. No public exploit identified at time of analysis; vendor released patch in v0.8.2.

Technical ContextAI

ciguard is a Python supply-chain analysis tool that queries two external JSON APIs (OSV.dev and endoflife.date) via HTTPS to retrieve software vulnerability and end-of-life data. The vulnerable code in src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py calls json.loads(resp.read().decode('utf-8')) without constraining the size of resp.read(), allowing the HTTP response stream to be consumed entirely into memory before JSON parsing. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling), a structural validation weakness in untrusted input handling. Both connections use hardcoded HTTPS URLs, which mitigates but does not eliminate the threat if DNS is hijacked or a trusted certificate authority is compromised.

RemediationAI

Upgrade ciguard to v0.8.2 or later. The patch introduces a MAX_RESPONSE_BYTES constant set to 5 MB (5242880 bytes) in both osv.py and endoflife.py, enforces resp.read(MAX_RESPONSE_BYTES + 1) with overflow detection, and returns None on oversized responses to allow fallback to stale cached data. No workarounds are available for earlier versions without code modification. As a temporary mitigation if upgrade is delayed, restrict ciguard's process memory limit via container limits (docker --memory), systemd MemoryMax, or CI runner configuration; however, this only converts memory exhaustion into a timeout rather than preventing it. The patch is low-risk: regression tests in tests/test_sca_rules.py::TestSCAResponseSizeCap confirm that legitimate responses (typical end-of-life or OSV records are under 100 KB) pass through unchanged, and oversized responses degrade gracefully to stale cache fallback. See GitHub Advisory GHSA-xw8c-rrvx-f7xq for patched release links.

Share

CVE-2026-44219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy