CVE-2026-33320 - Vulnerability Details

- Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service

Description

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.

Published: 2026-03-24

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Dasel's YAML reader can fully expand aliases without any limit, causing extreme CPU and memory usage when parsing malicious YAML. This leads to a denial‑of‑service condition for the process handling the input. The flaw is a classic uncontrolled recursion weakness (CWE‑674). The impact is that an attacker who can supply YAML data to dasel—whether by feeding a file to the command‑line tool or by invoking the library in an application—can exhaust host resources and make the process unresponsive.

Affected Systems

TomWright's dasel, versions 3.0.0 through 3.3.1, is affected. Version 3.3.2 fixes the issue.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity. The EPSS score of less than 1% signals a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA's KEV catalog. Attackers would need to supply crafted YAML to dasel; the vulnerability is local unless an application incorporating dasel processes untrusted data from a remote source. No public exploit is documented. Patch or mitigate the unbounded expansion to eliminate the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TomWright

dasel

affected

Version	Status	Constraints
`>= 3.0.0, < 3.3.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:tomwright:dasel:*:*:*:*:*:go:*:*

No data.

Vendor Product Confidence Versions

Tomwright

Dasel

100%

Version	Status	Scheme	Platform
`[3.0.0,3.3.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade tomwright/dasel to version 3.3.2 or later
Verify that the installed binary matches the patched version
If the tool is used within an application, ensure it cannot receive untrusted YAML from external inputs
Monitor resource usage for signs of denial‑of‑service attacks

Generated by OpenCVE AI on March 25, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-4fcp-jxh7-23x8	Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/TomWright/dasel/security/advisories/GHSA-4fcp-jxh7-23x8

History

Thu, 26 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:tomwright:dasel::::::go::*

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tomwright Tomwright dasel
Vendors & Products		Tomwright Tomwright dasel

Tue, 24 Mar 2026 02:30:00 +0000

Type	Values Removed	Values Added
Description		Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.
Title		Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service
Weaknesses		CWE-674
References		https://github.com/TomWright/dasel/security/advisories/GHSA-4fcp-jxh7-23x8
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Tomwright Dasel

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-24T00:06:22.351Z

Updated: 2026-03-26T12:24:32.421Z

Reserved: 2026-03-18T21:23:36.677Z

Link: CVE-2026-33320

Vulnrichment

Updated: 2026-03-26T12:24:27.905Z

NVD

Status : Analyzed

Published: 2026-03-24T01:17:02.203

Modified: 2026-03-25T16:08:49.057

Link: CVE-2026-33320

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:40:45Z

Weaknesses

CWE-674

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object