CVE-2026-33320

Published: Mar 24, 2026 Last Modified: Mar 24, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,2

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.

674

Uncontrolled Recursion

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Confidentiality

Potential Impacts:

Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Read Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/TomWright/dasel/security/advisories/GHSA…

https://github.com/TomWright/dasel/security/advisories/GHSA-4fcp-jxh7-23x8

CVE-2026-33320

Description

Uncontrolled Recursion

Common Consequences

Applicable Platforms

Iscriviti alla newsletter