CVE-2026-33320

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33320
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33320.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-33320
Aliases
Downstream
Related
Published
2026-03-24T00:06:22.351Z
Modified
2026-03-31T17:44:25.858292243Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service
Details

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own UnmarshalYAML implementation, which manually resolves alias nodes by recursively following yaml.Node.Alias pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-674"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33320.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/tomwright/dasel

Affected ranges

Type
GIT
Repo
https://github.com/tomwright/dasel
Events
Introduced
648f83baf070d9e00db8ff312febef857ec090a3
Fixed
282943b3720684ae0ea89432f51755325a841c75
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.3.2"
        }
    ]
}

Affected versions

v3.*
v3.0.0
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.3.0
v3.3.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-33320.json"