ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory. This vulnerability is fixed in 0.8.2.
PUBLISHED5.2CWE-770
ciguard: SCA HTTP client reads response body without size cap
Problem type
Affected products
Jo-Jo98
ciguard
>= 0.6.0, < 0.8.2 - AFFECTED
References
GitHub Security Advisories
GHSA-xw8c-rrvx-f7xq
ciguard: SCA HTTP client reads response body without size cap
https://github.com/advisories/GHSA-xw8c-rrvx-f7xqSummary
Both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory.
Threat scenario
ciguard process memory exhaustion → OOM kill or system swap thrash. Realistic when ciguard runs in CI with a limited memory budget (typical: 4-8 GB). No data integrity or confidentiality impact.
Realism caveat: both URLs are hardcoded HTTPS, so this is a low-realism threat (HTTPS prevents MITM unless the attacker controls a trusted CA or hijacks DNS in a way that doesn't trigger cert validation). The unbounded read is structural defence-in-depth, not a directly exploitable bug today.
Patch
- New
MAX_RESPONSE_BYTES = 5 * 1024 * 1024(5 MB) constant in both modules. body = resp.read(MAX_RESPONSE_BYTES + 1)with overflow check returnsNone(caller falls back to stale cache).- 3 regression tests in
tests/test_sca_rules.py::TestSCAResponseSizeCap.
Discovery
Found during ciguard's first self-conducted pentest cycle, 2026-04-26.
CVSS Scoring
- CVSS v3.1:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L— 3.7 (Low) - CVSS v4.0:
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N— first.org calc 3.1 (Low); GitHub's calc 6.3 (Medium). Vector is correct — choosing v3.1 as the structured score keeps the consistent Low rating across consumers.
Reproduction
Monkey-patch urllib.request.urlopen to return a fake 50 MB response; observe memory growth before/after the call. Pre-fix: process memory grows by ~50 MB. Post-fix: _fetch returns None, memory growth bounded to MAX_RESPONSE_BYTES.
Resources
github.com
https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-xw8c-rrvx-f7xq
github.com
https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2
github.com
https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-44219
github.com
https://github.com/advisories/GHSA-xw8c-rrvx-f7xq
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-44219Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-44219",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-05-12T19:40:28.848Z",
"dateReserved": "2026-05-05T15:42:40.517Z",
"datePublished": "2026-05-12T19:40:28.848Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-05-12T19:40:28.848Z"
},
"title": "ciguard: SCA HTTP client reads response body without size cap",
"descriptions": [
{
"lang": "en",
"value": "ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory. This vulnerability is fixed in 0.8.2."
}
],
"affected": [
{
"vendor": "Jo-Jo98",
"product": "ciguard",
"versions": [
{
"version": ">= 0.6.0, < 0.8.2",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"cweId": "CWE-770",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-xw8c-rrvx-f7xq",
"name": "https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-xw8c-rrvx-f7xq",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW"
}
}
]
}
}
}