Description

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.

INFO

Published Date :

2026-03-24T00:06:22.351Z

Last Modified :

2026-03-26T12:24:32.421Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33320 vulnerability.

Vendors Products
Tomwright
  • Dasel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33320.

URL Resource
https://github.com/TomWright/dasel/security/advisories/GHSA-4fcp-jxh7-23x8 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact