SB20260114125 - Multiple vulnerabilities in GuardDog

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2026-22871)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in the safe_extract() function. A remote attacker can send a specially crafted HTTP request and overwrite arbitrary files on the system, leading to arbitrary code execution.

2) Improper handling of highly compressed data (CVE-ID: CVE-2026-22870)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the application does not properly handle highly compressed data in the safe_extract() function. A remote attacker can supply a specially crafted archive to the application and consume all available space on the system while unpacking the archive, leading to a denial of service condition.

Remediation

Install update from vendor's website.

References

• https://github.com/DataDog/guarddog/security/advisories/GHSA-xg9w-vg3g-6m68
• https://github.com/DataDog/guarddog/security/advisories/GHSA-ffj4-jq7m-9g6v