CVE-2026-33320

NameCVE-2026-33320
DescriptionDasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dasel (PTS)forky, sid, trixie2.8.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
daselsource(unstable)(not affected)

Notes

- dasel <not-affected> (Vulnerable code not present)
https://github.com/TomWright/dasel/security/advisories/GHSA-4fcp-jxh7-23x8
https://github.com/TomWright/dasel/pull/531
Fixed by: https://github.com/TomWright/dasel/commit/282943b3720684ae0ea89432f51755325a841c75 (v3.3.2)
Search for package or bug name: Reporting problems