CVE-2026-46377 in daselinfo

Summary

by MITRE • 07/16/2026

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the escape sequence handler in (*Tokenizer).parseCurRune in selector/lexer/tokenize.go increments past a trailing backslash in a quoted string such as "\ or '\ and then reads p.src[pos] without a bounds check, allowing attacker-controlled selector strings to trigger a Go index-out-of-range panic. This issue is fixed in version 3.10.1.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability resides within the dasel command-line tool and library which processes data structures through query and transformation operations. The specific flaw exists in the tokenization phase of the selector parsing mechanism, particularly in the parseCurRune method located in the selector/lexer/tokenize.go file. This issue affects versions 3.0.0 through 3.10.1, creating a critical security risk that can be exploited by malicious actors.

The technical implementation flaw occurs when processing quoted strings containing trailing backslashes. The tokenizer's escape sequence handler incorrectly advances the position pointer beyond the trailing backslash character in strings such as "\" or '\'' before performing bounds checking on the source buffer access. This improper handling creates an out-of-bounds memory read condition where the code attempts to access p.src[pos] without verifying that the position index remains within valid buffer boundaries. The vulnerability represents a classic buffer over-read scenario that can be triggered through carefully crafted input strings.

The operational impact of this vulnerability is significant as it allows attackers to craft malicious selector strings that will cause the application to panic with an index-out-of-range error. This type of panic can lead to denial of service conditions where legitimate users cannot utilize the tool's functionality. The vulnerability is particularly concerning because it can be exploited through user-controlled inputs, making it a potential vector for remote code execution or system compromise depending on how dasel is integrated into larger systems. From an attack perspective, this aligns with ATT&CK technique T1203 (Exploitation for Client Execution) and CWE-129 (Improper Validation of Array Index).

The fix implemented in version 3.10.1 addresses the core issue by introducing proper bounds checking before accessing the source buffer. This remediation ensures that the tokenizer validates array indices against buffer limits before attempting memory reads, preventing the out-of-bounds access that previously occurred. Organizations using dasel should immediately upgrade to version 3.10.1 or later to protect against this vulnerability. The mitigation strategy involves not only updating the software but also implementing input validation for any user-supplied selector strings that may be processed through dasel. Security teams should monitor for potential exploitation attempts and consider this vulnerability in their threat modeling exercises for systems where dasel is deployed as part of automated workflows or security toolchains.

Responsible

GitHub M

Reservation

05/13/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!