CVE-2026-33320

Name of the Vulnerable Software and Affected Versions Dasel versions 3.0.0 through 3.3.1

Description Dasel’s YAML reader is susceptible to excessive CPU and memory consumption when processing YAML data supplied by an attacker. This occurs because the library’s UnmarshalYAML implementation recursively resolves YAML alias nodes without any expansion limit, bypassing the built-in alias expansion limit present in go-yaml v4. A relatively small 342-byte payload can trigger this issue, leading to denial of service. The issue resides in the UnmarshalYAML function, which handles alias nodes by recursively following yaml.Node.Alias pointers without a defined expansion budget. This allows an attacker to create a YAML document with deeply nested aliases, causing unbounded resource growth during parsing. The root cause is that Dasel receives a compact Node tree and then re-expands aliases without a limit, unlike go-yaml v4’s Unmarshal function which tracks alias expansion count.

Recommendations Versions prior to 3.3.2 are affected. Update to version 3.3.2 or later to resolve the issue.