Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.2
Dasel's YAML Parser Crashes System with Huge Input
GHSA-4fcp-jxh7-23x8
GO-2026-4768
CVE-2026-33320
Summary
Dasel's YAML parser can be exploited with an overly large YAML file, causing it to consume all available CPU and memory, freezing or crashing the system. This is due to a flaw in the way the parser handles alias nodes in the YAML file. To avoid this issue, update to the latest version of Dasel.
What to do
- Update github.com tomwright to version 3.3.2.
- Update tomwright github.com/tomwright/dasel/v3 to version 3.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | tomwright | > 3.0.0 , <= 3.3.2 | 3.3.2 |
| tomwright | github.com/tomwright/dasel | All versions | – |
| tomwright | github.com/tomwright/dasel/v2 | All versions | – |
| tomwright | github.com/tomwright/dasel/v3 | > 3.0.0 , <= 3.3.2 | 3.3.2 |
Original title
Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who ...
Original description
Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.
ghsa CVSS3.1
6.2
Vulnerability type
CWE-674
Published: 24 Mar 2026 · Updated: 24 Mar 2026 · First seen: 19 Mar 2026