CVE-2026-44219: CWE-770: Allocation of Resources Without Limits or Throttling in Jo-Jo98 ciguard
ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory. This vulnerability is fixed in 0.8.2.
AI Analysis
Technical Summary
The vulnerability in ciguard versions 0.6.0 to 0.8.1 arises from the lack of a maximum-bytes cap when reading HTTP responses in the SCA HTTP clients (specifically in src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py). This allows a hostile or compromised endoflife.date or OSV.dev server, or an attacker performing a successful TLS man-in-the-middle attack, to send a multi-gigabyte response. The large response can exhaust the memory of the ciguard process, leading to denial of service. The issue is resolved in version 0.8.2.
Potential Impact
The impact is limited to availability, where the ciguard process may exhaust system memory and crash or become unresponsive due to processing an excessively large HTTP response. There is no impact on confidentiality or integrity. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade ciguard to version 0.8.2 or later, where this vulnerability is fixed by enforcing limits on the size of HTTP responses processed by the SCA clients. Since this is a client-side software vulnerability, patching the affected versions is the recommended remediation. No other mitigations are indicated.
CVE-2026-44219: CWE-770: Allocation of Resources Without Limits or Throttling in Jo-Jo98 ciguard
Description
ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory. This vulnerability is fixed in 0.8.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in ciguard versions 0.6.0 to 0.8.1 arises from the lack of a maximum-bytes cap when reading HTTP responses in the SCA HTTP clients (specifically in src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py). This allows a hostile or compromised endoflife.date or OSV.dev server, or an attacker performing a successful TLS man-in-the-middle attack, to send a multi-gigabyte response. The large response can exhaust the memory of the ciguard process, leading to denial of service. The issue is resolved in version 0.8.2.
Potential Impact
The impact is limited to availability, where the ciguard process may exhaust system memory and crash or become unresponsive due to processing an excessively large HTTP response. There is no impact on confidentiality or integrity. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade ciguard to version 0.8.2 or later, where this vulnerability is fixed by enforcing limits on the size of HTTP responses processed by the SCA clients. Since this is a client-side software vulnerability, patching the affected versions is the recommended remediation. No other mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T15:42:40.517Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a038bd7cbff5d861016495a
Added to database: 5/12/2026, 8:21:43 PM
Last enriched: 5/12/2026, 8:39:24 PM
Last updated: 5/13/2026, 4:58:41 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.