GHSA-xw8c-rrvx-f7xq

Summary

Both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB response, exhausting the ciguard process's memory.

Threat scenario

ciguard process memory exhaustion → OOM kill or system swap thrash. Realistic when ciguard runs in CI with a limited memory budget (typical: 4-8 GB). No data integrity or confidentiality impact.

Realism caveat: both URLs are hardcoded HTTPS, so this is a low-realism threat (HTTPS prevents MITM unless the attacker controls a trusted CA or hijacks DNS in a way that doesn't trigger cert validation). The unbounded read is structural defence-in-depth, not a directly exploitable bug today.

Patch

• New MAX_RESPONSE_BYTES = 5 * 1024 * 1024 (5 MB) constant in both modules.
• body = resp.read(MAX_RESPONSE_BYTES + 1) with overflow check returns None (caller falls back to stale cache).
• 3 regression tests in tests/test_sca_rules.py::TestSCAResponseSizeCap.

Discovery

Found during ciguard's first self-conducted pentest cycle, 2026-04-26.

CVSS Scoring

• CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L — 3.7 (Low)
• CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N — first.org calc 3.1 (Low); GitHub's calc 6.3 (Medium). Vector is correct — choosing v3.1 as the structured score keeps the consistent Low rating across consumers.

Reproduction

Monkey-patch urllib.request.urlopen to return a fake 50 MB response; observe memory growth before/after the call. Pre-fix: process memory grows by ~50 MB. Post-fix: _fetch returns None, memory growth bounded to MAXRESPONSEBYTES.

References

• Fix released in v0.8.2
• CI regression gate added in v0.8.3
• https://www.cve.org/CVERecord?id=CVE-2026-44219