Description
Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the selector lexer matchRegexPattern closure in (*Tokenizer).parseCurRune in selector/lexer/tokenize.go loops while tokenizing an unterminated regex literal such as r/ because peekRuneEqual returns false after the end of input, allowing attacker-controlled selector strings to consume CPU indefinitely. This issue is fixed in version 3.10.1.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-m6xr-fvfg-5g64 | Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal |
References
History
Thu, 16 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Tomwright
Tomwright dasel |
|
| Vendors & Products |
Tomwright
Tomwright dasel |
Thu, 16 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the selector lexer matchRegexPattern closure in (*Tokenizer).parseCurRune in selector/lexer/tokenize.go loops while tokenizing an unterminated regex literal such as r/ because peekRuneEqual returns false after the end of input, allowing attacker-controlled selector strings to consume CPU indefinitely. This issue is fixed in version 3.10.1. | |
| Title | Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal | |
| Weaknesses | CWE-835 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T17:57:33.923Z
Reserved: 2026-05-13T19:53:47.921Z
Link: CVE-2026-46378
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T20:00:05Z
Weaknesses
-
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
Github GHSA