Description
ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory. This vulnerability is fixed in 0.8.2.
Published: 2026-05-12
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ciguard is a CI/CD pipeline security auditor that, between versions 0.6.0 and 0.8.1, uses two HTTP client modules to fetch vulnerability data from third‑party services. These modules read the entire HTTP response body with json.loads(resp.read().decode('utf-8')) without imposing any maximum size limit. If an attacker can influence the data source—by compromising endoflife.date/OSV.dev or performing a TLS man‑in‑the‑middle attack—a response containing several gigabytes can be returned, causing the ciguard process to consume enormous amounts of memory until it is terminated. The primary impact is a local denial of service that disrupts pipeline runs, rather than privilege escalation or data disclosure.

Affected Systems

The affected product is Jo‑Jo98 ciguard, specifically versions 0.6.0 through 0.8.1. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS base score is 3.7 and an EPSS score is not available, indicating a moderate severity and uncertain exploitation likelihood. The vulnerability is not included in the CISA KEV catalog. Attackers would need access to the vended HTTP endpoints used by ciguard, suggesting a network‑based vector where the victim’s environment connects to an external service. Successful exploitation would require the attacker to supply a very large payload; thus, the opportunity is limited to contexts that allow such data to be sent to the client.

Generated by OpenCVE AI on May 12, 2026 at 21:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ciguard to version 0.8.2 or later, which includes the fix for this issue
  • Restrict the runtime environment of ciguard with container or Kubernetes resource limits to prevent memory overcommit on crashes
  • Consider disabling or removing the SCA HTTP clients if they are not required for your pipelines

Generated by OpenCVE AI on May 12, 2026 at 21:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xw8c-rrvx-f7xq ciguard: SCA HTTP client reads response body without size cap
History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Jo-jo98
Jo-jo98 ciguard
Vendors & Products Jo-jo98
Jo-jo98 ciguard

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory. This vulnerability is fixed in 0.8.2.
Title ciguard: SCA HTTP client reads response body without size cap
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Jo-jo98 Ciguard
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:20:04.224Z

Reserved: 2026-05-05T15:42:40.517Z

Link: CVE-2026-44219

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-12T20:16:42.767

Modified: 2026-05-13T17:02:28.447

Link: CVE-2026-44219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:16Z

Weaknesses