CVE-2026-33320

MEDIUM

Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-33320. PoCs published by GonSarrabia, rotavori, nedlir.

AI-analyzed exploit summary This repository provides a detailed analysis and patch for CVE-2026-33320, a YAML expansion vulnerability in the 'dasel' tool. It includes a patch to mitigate YAML bomb attacks by introducing depth and budget limits for alias expansion.

Description

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.

Exploits (4)

nomisec WRITEUP
by GonSarrabia · poc
https://github.com/GonSarrabia/Minimus-Junior-Backend-Exercise

This repository provides a detailed analysis and patch for CVE-2026-33320, a YAML expansion vulnerability in the 'dasel' tool. It includes a patch to mitigate YAML bomb attacks by introducing depth and budget limits for alias expansion.

Classification
Writeup 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: dasel v3.3.1
No auth needed
Prerequisites: Docker · melange · apko
devstral-2 · analyzed Jun 09, 2026 Full analysis →
nomisec WRITEUP
by rotavori · poc
https://github.com/rotavori/dasel-melange-apko

This repository provides a detailed technical analysis and patch for CVE-2026-33320, a YAML alias expansion vulnerability in dasel. It includes a patch file, notes on the vulnerability, and tests to verify the fix.

Classification
Writeup 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: dasel (github.com/TomWright/dasel) versions >= 3.0.0, < 3.3.2
No auth needed
Prerequisites: Attacker-controlled YAML input
devstral-2 · analyzed Jun 02, 2026 Full analysis →
nomisec WRITEUP
by nedlir · poc
https://github.com/nedlir/dasel-hardened-container

This repository provides a detailed technical analysis and hardened container build for dasel v3.3.1, including a build-time patch for CVE-2026-33320 (unbounded YAML alias expansion). It includes a comprehensive breakdown of the vulnerability, patch mechanics, and security hardening measures.

Classification
Writeup 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: dasel v3.3.1
No auth needed
Prerequisites: Docker · melange · apko
devstral-2 · analyzed May 05, 2026 Full analysis →
nomisec WRITEUP
by nedlir · poc
https://github.com/nedlir/dasel-hardened-containe

This repository provides a detailed technical analysis and hardened container build for dasel v3.3.1, including a build-time patch for CVE-2026-33320 (unbounded YAML alias expansion). It includes comprehensive documentation, patch details, and security hardening measures.

Classification
Writeup 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: dasel v3.3.1
No auth needed
Prerequisites: Docker · melange · apko
devstral-2 · analyzed May 05, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 6.2
EPSS 0.0021
EPSS Percentile 11.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-674
Status published
Products (3)
tomwright/dasel 3.0.0 - 3.3.2
tomwright/dasel 3.0.0 - 3.3.2Go
TomWright/dasel >= 3.0.0, < 3.3.2
Published Mar 24, 2026
Tracked Since Mar 24, 2026