CVE-2026-33320 is a vulnerability identified in the dasel command-line tool and library, which is used for querying and modifying data structures including YAML. The vulnerability stems from the tool's custom YAML unmarshalling implementation, which manually resolves alias nodes by recursively following yaml.Node.Alias pointers without enforcing any expansion budget. This bypasses the built-in alias expansion limits of the underlying go-yaml v4 library. As a result, an attacker who can supply crafted YAML input can trigger uncontrolled recursion, leading to extreme CPU and memory consumption. This resource exhaustion can cause denial of service (DoS) conditions, impacting the availability of systems running dasel versions from 3.0.0 up to 3.3.1. The vulnerability does not compromise confidentiality or integrity, as it does not allow code execution or data manipulation beyond resource exhaustion. The flaw was addressed in dasel version 3.3.2 by implementing proper alias expansion limits to prevent infinite recursion. Exploitation requires the ability to provide YAML input to dasel, which may be local or through automated pipelines that use dasel for YAML processing. No authentication or user interaction is required, but the attack vector is limited to environments where dasel processes untrusted YAML data.

The primary impact of CVE-2026-33320 is denial of service through resource exhaustion. Organizations using dasel in automated workflows, CI/CD pipelines, or configuration management that process untrusted or user-supplied YAML data are at risk of service disruption. This can lead to downtime, degraded performance, and potential cascading failures in dependent systems. Since dasel is a tool often integrated into DevOps and infrastructure automation, the vulnerability could disrupt development and deployment processes, delaying critical updates or releases. The vulnerability does not expose sensitive data or allow unauthorized changes, limiting its impact to availability. However, the ease of triggering resource exhaustion without authentication or user interaction makes it a significant operational risk. Organizations relying on dasel in security-sensitive or high-availability environments should prioritize patching to avoid potential outages.

To mitigate CVE-2026-33320, organizations should upgrade dasel to version 3.3.2 or later, where the alias expansion limit has been properly implemented. Until upgrading, restrict the use of dasel to trusted YAML inputs only, avoiding processing untrusted or user-supplied YAML data. Implement input validation and sanitization to detect and block suspicious YAML alias structures that could trigger recursion. Monitor CPU and memory usage of systems running dasel to detect abnormal resource consumption indicative of exploitation attempts. Consider sandboxing dasel executions or running them with resource limits (e.g., cgroups or containers) to contain potential DoS effects. Review automation and CI/CD pipelines to ensure they do not expose dasel to untrusted inputs. Finally, maintain awareness of updates from the dasel project and apply patches promptly.