Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service

Vulnerability

CVE-2026-33320 is a denial of service vulnerability in the Dasel command-line tool and library, affecting versions 3.0.0 through 3.3.1. The bug exists in Dasel's custom UnmarshalYAML implementation for YAML parsing, which recursively resolves alias nodes by following yaml.Node.Alias pointers without any expansion budget. This bypasses the built-in alias expansion limit in go-yaml v4, allowing a small crafted input to cause exponential growth in CPU and memory consumption [1][2].

Exploitation

An attacker who can supply YAML for processing—for example, by feeding Dasel a malicious file or piping data to the command-line tool—can trigger the vulnerability. The reference advisory demonstrates a 342-byte payload with a 9-level alias bomb (each level referencing the previous alias multiple times) that causes unbounded recursive expansion. The affected code path is reached when Dasel processes YAML using its parsing library, which ultimately calls the UnmarshalYAML hook that recursively follows value.Alias pointers without a stopping condition or budget [2].

Impact

Successful exploitation results in extreme CPU and memory consumption, effectively causing a denial of service. The test payload did not complete within 5 seconds and exhibited unbounded resource growth, indicating that even moderate-sized inputs can exhaust system resources, making Dasel unresponsive or causing it to crash [2].

Mitigation

The issue has been patched in Dasel version 3.3.2. Users should upgrade to this or a later version to eliminate the vulnerability. No workarounds are mentioned in the advisories [1][2].