Moderate severityNVD Advisory· Published Mar 24, 2026· Updated Mar 26, 2026
Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service
CVE-2026-33320
Description
Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own UnmarshalYAML implementation, which manually resolves alias nodes by recursively following yaml.Node.Alias pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/tomwright/dasel/v3Go | >= 3.0.0, < 3.3.2 | 3.3.2 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/tomwright/dasel/v3pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 3.0.0, < 3.3.2+ 1 more
- (no CPE)range: >= 3.0.0, < 3.3.2
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-4fcp-jxh7-23x8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33320ghsaADVISORY
- github.com/TomWright/dasel/security/advisories/GHSA-4fcp-jxh7-23x8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.