CVE-2026-33320

Exploit

EPSS 0.21%
Veröffentlicht 24.03.2026 00:06:22
Zuletzt bearbeitet 25.03.2026 16:08:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tomwright ≫ Dasel SwPlatformgo Version >= 3.0.0 < 3.3.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.112

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.2	2.5	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

https://github.com/TomWright/dasel/security/advisories/GHSA-4fcp-jxh7-23x8

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-33320

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33320

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33320

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33320