CVE-2026-46377
Received Received - Intake

Dasel Selector String Index Out of Range Vulnerability

Vulnerability report for CVE-2026-46377, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the escape sequence handler in (*Tokenizer).parseCurRune in selector/lexer/tokenize.go increments past a trailing backslash in a quoted string such as "\ or '\ and then reads p.src[pos] without a bounds check, allowing attacker-controlled selector strings to trigger a Go index-out-of-range panic. This issue is fixed in version 3.10.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
tomwright dasel From 3.0.0 (inc) to 3.10.1 (inc)
tomwright dasel 3.10.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in the dasel tool, which is used for querying and modifying data structures. It occurs when processing escape sequences in quoted strings. If a quoted string ends with a backslash like "\ or '\', the lexer incorrectly increments past the string's end and tries to read beyond valid memory, causing a Go runtime panic due to an index-out-of-range error.

Detection Guidance

The vulnerability can be detected by checking the version of dasel installed on your system. If the version is between 3.0.0 and 3.10.0, it is vulnerable. Run: dasel --version. If the output shows a version in this range, the system is affected.

Impact Analysis

An attacker who can provide a selector string to dasel could trigger a crash by causing a panic. This leads to a denial-of-service as the process handling the selector terminates unexpectedly. The impact is limited to availability since it does not expose data or allow code execution.

Compliance Impact

This vulnerability causes a denial-of-service condition via process termination when processing malformed selector strings. While it does not directly expose or leak data, compliance frameworks like GDPR and HIPAA require systems to maintain availability and integrity. A crash could disrupt services handling personal or health data, potentially violating availability requirements under these regulations.

Mitigation Strategies

Upgrade dasel to version 3.10.1 or later immediately. This version includes a fix for the index-out-of-range panic caused by trailing backslashes in quoted strings. Use your package manager or download the latest release from the official repository.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46377. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart