SB2026050798 - Multiple vulnerabilities in DataDog GuardDog

Description

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose sensitive information and perform server-side request forgery.

The vulnerability exists due to improper input validation in ProjectScanner.scan_remote() when processing attacker-controlled repository URLs. A remote attacker can supply a crafted repository URL to disclose sensitive information and perform server-side request forgery.

The issue can expose the configured GH_TOKEN through HTTP Basic Auth and can direct requests to internal or localhost services reachable by the scanner.

2) Improper Neutralization of Escape, Meta, or Control Sequences (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose sensitive information and modify terminal or log output.

The vulnerability exists due to improper neutralization of escape sequences in human-readable scan output when rendering attacker-controlled filenames, file locations, messages, and code snippets. A remote attacker can craft malicious package content to disclose sensitive information and modify terminal or log output.

User interaction is required to view the human-readable output, and compatible terminals or CI logs may interpret ANSI or OSC escape sequences.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://github.com/DataDog/guarddog/security/advisories/GHSA-587r-mc96-6f2p
• https://github.com/DataDog/guarddog/security/advisories/GHSA-m5p4-gvpx-4mvr