What is GHSA-xw8c-rrvx-f7xq?

GHSA-xw8c-rrvx-f7xq is a security advisory published by GitHub Security Advisories with Medium severity. ciguard: SCA HTTP client reads response body without size cap

Which CVE IDs does GHSA-xw8c-rrvx-f7xq cover?

GHSA-xw8c-rrvx-f7xq covers the following CVE IDs: CVE-2026-44219. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-xw8c-rrvx-f7xq?

GHSA-xw8c-rrvx-f7xq has a CVSS v3 base score of 3.7, published by GitHub Security Advisories.

Which products are affected by GHSA-xw8c-rrvx-f7xq?

GHSA-xw8c-rrvx-f7xq affects 1 product, including: pip/ciguard:\u003e= 0.6.0, \u003c= 0.8.1.

GHSA-xw8c-rrvx-f7xqMediumCVSS 3.7

ciguard: SCA HTTP client reads response body without size cap

Vendor

GitHub Security Advisories

Published

May 5, 2026

Last Modified

May 15, 2026

🔗 CVE IDs covered (1)

CVE-2026-44219 →

📋 Description

## Summary Both SCA HTTP clients (`src/ciguard/analyzer/sca/osv.py` and `src/ciguard/analyzer/sca/endoflife.py`) call `payload = json.loads(resp.read().decode('utf-8'))` without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory. ## Threat scenario ciguard process memory exhaustion → OOM kill or system swap thrash. Realistic when ciguard runs in CI with a limited memory budget (typical: 4-8 GB). No data integrity or confidentiality impact. **Realism caveat:** both URLs are hardcoded HTTPS, so this is a low-realism threat (HTTPS prevents MITM unless the attacker controls a trusted CA or hijacks DNS in a way that doesn't trigger cert validation). The unbounded read is structural defence-in-depth, not a directly exploitable bug today. ## Patch - New `MAX_RESPONSE_BYTES = 5 * 1024 * 1024` (5 MB) constant in both modules. - `body = resp.read(MAX_RESPONSE_BYTES + 1)` with overflow check returns `None` (caller falls back to stale cache). - 3 regression tests in `tests/test_sca_rules.py::TestSCAResponseSizeCap`. ## Discovery Found during ciguard's first self-conducted pentest cycle, 2026-04-26. ## CVSS Scoring - CVSS v3.1: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L` — 3.7 (Low) - CVSS v4.0: `CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N` — first.org calc 3.1 (Low); GitHub's calc 6.3 (Medium). Vector is correct — choosing v3.1 as the structured score keeps the consistent Low rating across consumers. ## Reproduction Monkey-patch `urllib.request.urlopen` to return a fake 50 MB response; observe memory growth before/after the call. Pre-fix: process memory grows by ~50 MB. Post-fix: `_fetch` returns `None`, memory growth bounded to MAX_RESPONSE_BYTES. ## References - Fix released in [v0.8.2](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2) - CI regression gate added in [v0.8.3](https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3) - https://www.cve.org/CVERecord?id=CVE-2026-44219

🎯 Affected products1

pip/ciguard:>= 0.6.0, <= 0.8.1

🔗 CVE IDs covered (1)

📋 Description

🎯 Affected products1

🔗 References (5)