Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33320 is a vulnerability in the Dasel command-line tool and library, specifically in its YAML reader component for versions 3.0.0 up to 3.3.1.'}, {'type': 'paragraph', 'content': "The issue arises because Dasel's YAML reader uses a custom method to resolve YAML alias nodes by recursively following alias pointers without any limit on the number of expansions. This bypasses the alias expansion limit that the underlying go-yaml v4 library normally enforces."}, {'type': 'paragraph', 'content': 'As a result, an attacker who can supply malicious YAML input can trigger unbounded recursion, causing extreme CPU and memory consumption.'}, {'type': 'paragraph', 'content': 'This leads to a denial of service (DoS) condition by exhausting system resources during YAML processing.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

If you use Dasel versions between 3.0.0 and 3.3.1, an attacker able to supply YAML input to Dasel (via command-line input or library usage) can exploit this vulnerability to cause a denial of service.

The exploit causes Dasel to consume excessive CPU and memory resources due to unbounded recursive alias expansion, potentially making the system unresponsive or crashing the application.

This can disrupt normal operations, leading to downtime or degraded service availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing Dasel's YAML processing with crafted YAML payloads that contain deeply nested alias nodes (alias bombs). Such payloads cause Dasel to consume extreme CPU and memory resources and fail to complete parsing within a reasonable time."}, {'type': 'paragraph', 'content': 'A proof of concept involves using a YAML payload with a 9-level alias bomb that triggers hundreds of millions of recursive expansions, causing denial of service.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerability by running Dasel (version 3.0.0 up to 3.3.1) on a crafted malicious YAML file and observing if the process consumes excessive CPU and memory or hangs for several seconds.'}, {'type': 'paragraph', 'content': 'Example command to test Dasel with a malicious YAML file (assuming the payload is saved in malicious.yaml):'}, {'type': 'list_item', 'content': 'dasel -f malicious.yaml'}, {'type': 'paragraph', 'content': 'If Dasel hangs or uses 100% CPU and grows memory usage significantly, it indicates the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Dasel to version 3.3.2 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': "The patch implements an alias expansion counter within Dasel's UnmarshalYAML method to limit the total number of alias resolutions, preventing unbounded recursion and resource exhaustion."}, {'type': 'paragraph', 'content': 'Until you can upgrade, avoid processing untrusted or malicious YAML input with Dasel versions 3.0.0 up to 3.3.1.'}] [1]

Useful 0 Not Useful 0