CVE-2026-33320
Recursive YAML Alias Expansion Vulnerability in Dasel Causes Resource Exhaustion
Publication date: 2026-03-24
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tomwright | dasel | From 3.0.0 (inc) to 3.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
If you use Dasel versions between 3.0.0 and 3.3.1, an attacker able to supply YAML input to Dasel (via command-line input or library usage) can exploit this vulnerability to cause a denial of service.
The exploit causes Dasel to consume excessive CPU and memory resources due to unbounded recursive alias expansion, potentially making the system unresponsive or crashing the application.
This can disrupt normal operations, leading to downtime or degraded service availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing Dasel's YAML processing with crafted YAML payloads that contain deeply nested alias nodes (alias bombs). Such payloads cause Dasel to consume extreme CPU and memory resources and fail to complete parsing within a reasonable time."}, {'type': 'paragraph', 'content': 'A proof of concept involves using a YAML payload with a 9-level alias bomb that triggers hundreds of millions of recursive expansions, causing denial of service.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerability by running Dasel (version 3.0.0 up to 3.3.1) on a crafted malicious YAML file and observing if the process consumes excessive CPU and memory or hangs for several seconds.'}, {'type': 'paragraph', 'content': 'Example command to test Dasel with a malicious YAML file (assuming the payload is saved in malicious.yaml):'}, {'type': 'list_item', 'content': 'dasel -f malicious.yaml'}, {'type': 'paragraph', 'content': 'If Dasel hangs or uses 100% CPU and grows memory usage significantly, it indicates the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Dasel to version 3.3.2 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': "The patch implements an alias expansion counter within Dasel's UnmarshalYAML method to limit the total number of alias resolutions, preventing unbounded recursion and resource exhaustion."}, {'type': 'paragraph', 'content': 'Until you can upgrade, avoid processing untrusted or malicious YAML input with Dasel versions 3.0.0 up to 3.3.1.'}] [1]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33320 is a vulnerability in the Dasel command-line tool and library, specifically in its YAML reader component for versions 3.0.0 up to 3.3.1.'}, {'type': 'paragraph', 'content': "The issue arises because Dasel's YAML reader uses a custom method to resolve YAML alias nodes by recursively following alias pointers without any limit on the number of expansions. This bypasses the alias expansion limit that the underlying go-yaml v4 library normally enforces."}, {'type': 'paragraph', 'content': 'As a result, an attacker who can supply malicious YAML input can trigger unbounded recursion, causing extreme CPU and memory consumption.'}, {'type': 'paragraph', 'content': 'This leads to a denial of service (DoS) condition by exhausting system resources during YAML processing.'}] [1]