Dasel is a command-line tool and library designed for querying, modifying, and transforming data structures, supporting formats like YAML. Starting from version 3.0.0 up to but not including 3.3.2, dasel's YAML reader contains a vulnerability (CVE-2026-33320) due to uncontrolled recursion in its UnmarshalYAML function. Specifically, dasel manually resolves YAML alias nodes by recursively following yaml.Node.Alias pointers without enforcing any expansion limits. This bypasses the built-in alias expansion limit of the underlying go-yaml v4 library, which is designed to prevent resource exhaustion attacks. An attacker who can supply malicious YAML input to dasel can trigger extreme CPU and memory consumption, effectively causing a denial of service (DoS). The vulnerability does not impact confidentiality or integrity but severely affects availability. Exploitation requires the ability to provide YAML input to dasel, which is typically local or within trusted automation pipelines. The issue was addressed in dasel version 3.3.2 by implementing proper alias expansion limits to prevent uncontrolled recursion. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 6.2, reflecting a medium severity with attack vector local, low attack complexity, no privileges required, and no user interaction needed.

The primary impact of CVE-2026-33320 is denial of service through resource exhaustion. Organizations using dasel to process YAML data, especially in automated DevOps pipelines, CI/CD workflows, or configuration management systems, may experience service disruptions if an attacker supplies crafted YAML input. This can lead to system instability, degraded performance, or crashes, potentially affecting critical automation tasks. Since dasel is often integrated into development and deployment environments, the disruption could delay software releases or configuration updates. Although the vulnerability does not compromise data confidentiality or integrity, the availability impact can have cascading effects on operational continuity. The lack of required privileges or user interaction lowers the barrier for exploitation in environments where untrusted YAML input is processed. However, the attack vector is local or limited to contexts where YAML input can be controlled, reducing the overall attack surface. No widespread exploitation is currently known, but the risk remains for organizations relying on vulnerable dasel versions.

To mitigate CVE-2026-33320, organizations should upgrade dasel to version 3.3.2 or later, where the uncontrolled recursion issue has been patched. For environments where immediate upgrade is not feasible, implement input validation and sanitization to restrict or reject untrusted YAML inputs containing alias nodes. Limit the use of dasel to trusted data sources and avoid processing YAML from unverified or external origins. Monitor resource usage of processes invoking dasel to detect abnormal CPU or memory consumption indicative of exploitation attempts. Incorporate rate limiting or sandboxing techniques to isolate dasel executions and prevent system-wide impact. Additionally, review automation workflows to ensure YAML inputs are controlled and consider adding static analysis or scanning tools to detect potentially malicious YAML structures. Maintain awareness of updates from the dasel project and apply security patches promptly. Finally, document and train development and operations teams about this vulnerability to reduce inadvertent exposure.