GHSA-4FCP-JXH7-23X8: GHSA-4FCP-JXH7-23X8: Unbounded YAML Alias Expansion Denial of Service in Dasel

GHSA-4FCP-JXH7-23X8: Unbounded YAML Alias Expansion Denial of Service in Dasel

Vulnerability ID: GHSA-4FCP-JXH7-23X8
CVSS Score: 6.2
Published: 2026-03-19

The Dasel data querying and modification tool contains a critical resource exhaustion vulnerability within its YAML parsing subsystem. An attacker supplying a maliciously crafted YAML document utilizing excessive aliases can induce infinite recursive expansion, resulting in complete CPU and memory exhaustion.

TL;DR

Dasel's custom YAML unmarshaling logic fails to track alias expansion limits. Processing a targeted 'Billion Laughs' style YAML payload triggers uncontrolled recursion, causing rapid memory exhaustion and process termination.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-400
• Attack Vector: Local / Network (Depending on implementation)
• CVSS v3.1 Score: 6.2
• Impact: Denial of Service (DoS)
• Exploit Status: Proof of Concept Available
• Vulnerable Component: yaml_reader.go (UnmarshalYAML)

Affected Systems

• Dasel CLI Tool
• Go applications incorporating github.com/tomwright/dasel/v3
• github.com/tomwright/dasel/v3: >= 3.0.0, < 3.3.2 (Fixed in: 3.3.2)

Exploit Details

• GitHub Advisory: 342-byte YAML 'Billion Laughs' variant payload

Mitigation Strategies

• Upgrade the dependency github.com/tomwright/dasel/v3 to version 3.3.2 or higher.
• Upgrade the Dasel CLI tool to the latest patched binary release.
• Implement application-level regex filtering to drop YAML inputs containing excessively deep alias nesting prior to reaching the Dasel parser.
• Enforce strict memory limits using container orchestration tools (e.g., Kubernetes resource limits) to prevent system-wide resource starvation during exploitation.

Remediation Steps:

1. Execute go get github.com/tomwright/dasel/v3@v3.3.2 to update the library in your Go module.
2. Run go mod tidy to ensure dependency tree consistency.
3. Rebuild all Go binaries that import the dasel/v3 package.
4. Deploy updated binaries to production environments and verify successful YAML parsing behavior on known good inputs.

References

• GitHub Security Advisory: GHSA-4fcp-jxh7-23x8
• OSV Entry: GHSA-4fcp-jxh7-23x8
• Dasel GitHub Repository

---

Read the full report for GHSA-4FCP-JXH7-23X8 on our website for more details including interactive diagrams and full exploit analysis.