GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content
Description
# Summary GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs.
# Description The finding formatter stores file paths and snippets from scanned content:
location = file_path + ":" + str(start_line)
finding = {
"location": location,
"code": code,
"message": result["extra"]["message"],
}
The human-readable reporter later prints these values directly:
" * " + finding["message"] + " at " + finding["location"] + "\n " + _format_code_line_for_output(finding["code"])
No escaping is applied for control characters such as \x1b. A malicious package can therefore ship a filename like:
evil\x1b[2J.py
or matched source lines containing terminal escapes, which survive into the final CLI output.
# Reproduction summary 1. Create a file whose name contains \x1b[2J. 2. Feed a semgrep-style result referencing that file into Analyzer._format_semgrep_response(). 3. Render the result with HumanReadableReporter.print_scan_results(). 4. The output string contains the raw escape bytes, which a terminal may interpret.
# Key code paths - guarddog/analyzer/analyzer.py:377-392 - guarddog/reporters/human_readable.py:36-42 - guarddog/reporters/human_readable.py:84-91
# Practical impact This can be used to: - clear or rewrite analyst terminal output - inject misleading or spoofed log content in CI - emit clickable OSC 8 hyperlinks or title changes in compatible terminals
# Prior public disclosure check As of 2026-03-18, no matching public GitHub advisory, CVE, or public repo issue was found for this specific bug.
# Suggested fix Escape or strip terminal control characters before rendering any attacker-controlled value in human-readable output. This should cover package names, file paths, messages, and code snippets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GuardDog's human-readable output does not escape terminal control characters, allowing malicious packages to inject ANSI/OSC escape sequences into analyst terminals or CI logs.
Vulnerability
Overview
CVE-2026-44972 describes a terminal escape injection vulnerability in the GuardDog CLI tool. GuardDog is a security scanner that analyzes packages from PyPI, npm, Go modules, RubyGems, GitHub Actions, and VSCode extensions using heuristics and Semgrep rules [1]. The vulnerability arises because the HumanReadableReporter prints attacker-controlled values—such as file paths, code snippets, and messages—directly into the output without escaping terminal control characters like \x1b [2].
Exploitation
Details
A malicious package can include filenames or source code lines containing ANSI escape sequences (e.g., \x1b[2J to clear the screen) or OSC sequences (e.g., for hyperlinks or title changes). When GuardDog scans such a package and renders the results using HumanReadableReporter.print_scan_results(), the raw escape bytes are included in the output string. If the output is displayed in a terminal or captured in CI logs, the terminal may interpret these sequences, leading to visual manipulation or spoofing [2].
Impact
An attacker can exploit this to clear or rewrite analyst terminal output, inject misleading or spoofed log content in CI pipelines, or emit clickable OSC 8 hyperlinks or title changes in compatible terminals. This could be used to hide malicious activity, misdirect analysts, or tamper with automated log processing [2].
Mitigation
As of the publication date (2026-05-11), no patch has been released. The suggested fix is to escape or strip terminal control characters before rendering any attacker-controlled value in human-readable output, covering package names, file paths, messages, and code snippets [2]. Users should monitor the GuardDog repository for updates [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
guarddogPyPI | >= 2.6.0, <= 2.9.0 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.