CVE-2026-46378
Received Received - Intake

Denial of Service in Dasel via Regex Loop

Vulnerability report for CVE-2026-46378, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the selector lexer matchRegexPattern closure in (*Tokenizer).parseCurRune in selector/lexer/tokenize.go loops while tokenizing an unterminated regex literal such as r/ because peekRuneEqual returns false after the end of input, allowing attacker-controlled selector strings to consume CPU indefinitely. This issue is fixed in version 3.10.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tomwright dasel From 3.0.0 (inc) to 3.10.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46378 is a denial-of-service vulnerability in the dasel selector lexer caused by an infinite loop when processing unterminated regex literals. The issue occurs in the matchRegexPattern function within the tokenizer, which fails to handle missing closing slashes in regex patterns like r/abc. A minimal input of just r/ is sufficient to trigger the bug, causing the tokenizer to consume 100% CPU indefinitely without returning.

Detection Guidance

To detect this vulnerability, monitor for processes consuming 100% CPU when dasel is used with selector strings containing unterminated regex patterns like r/. Check running processes for dasel with high CPU usage and inspect command-line arguments for suspicious selector patterns.

Impact Analysis

An attacker who can influence selector strings passed to dasel could exploit this to cause high CPU usage and denial of service. The vulnerability allows indefinite CPU consumption without affecting confidentiality or integrity, primarily impacting system availability.

Mitigation Strategies

Immediately upgrade dasel to version 3.10.1 or later. If upgrading is not possible, restrict access to dasel or sanitize all selector inputs to prevent unterminated regex patterns like r/ from being processed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46378. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart