CVE-2026-46378 in daselinfo

Summary

by MITRE • 07/16/2026

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the selector lexer matchRegexPattern closure in (*Tokenizer).parseCurRune in selector/lexer/tokenize.go loops while tokenizing an unterminated regex literal such as r/ because peekRuneEqual returns false after the end of input, allowing attacker-controlled selector strings to consume CPU indefinitely. This issue is fixed in version 3.10.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The dasel command-line tool presents a critical denial-of-service vulnerability through its regex pattern handling mechanism within the selector lexer component. This flaw exists in versions ranging from 3.0.0 through 3.10.1, where the tokenization process becomes trapped in an infinite loop when processing unterminated regular expression literals. The vulnerability specifically manifests in the matchRegexPattern closure implementation within the (*Tokenizer).parseCurRune function located in selector/lexer/tokenize.go. When an attacker provides a malicious selector string containing an unterminated regex pattern such as r/, the system enters an endless loop that consumes excessive CPU resources without proper termination conditions.

The technical exploitation occurs through the peekRuneEqual function which returns false upon reaching the end of input, creating a condition where the parsing loop continues indefinitely. This behavior represents a classic denial-of-service vulnerability that can be leveraged by attackers to exhaust system resources and potentially cause service disruption. The flaw operates at the lexical analysis level, making it particularly dangerous as it affects the core parsing functionality of the tool. The infinite loop occurs because the regex literal parsing logic does not properly validate whether the pattern is correctly terminated before continuing the tokenization process.

From an operational perspective, this vulnerability poses significant risks to systems that utilize dasel for data processing or automation tasks. Attackers can craft malicious selector strings that cause processes consuming dasel to become unresponsive, effectively creating a resource exhaustion scenario that impacts system availability. The vulnerability affects any environment where dasel processes user-provided input through its selector functionality, particularly in automated workflows or services that accept external data queries. The impact extends beyond simple CPU consumption as it can affect system stability and performance under sustained attack conditions.

The weakness aligns with CWE-835, which specifically addresses infinite loops in software systems where loop termination conditions are not properly handled. This vulnerability also maps to ATT&CK technique T1496, which covers resource exhaustion attacks targeting availability. The fix implemented in version 3.10.1 addresses the core issue by ensuring proper validation of regex pattern termination conditions during tokenization. Organizations should immediately upgrade to version 3.10.1 or later to mitigate this vulnerability and prevent potential exploitation. Additionally, implementing input validation measures for selector strings and monitoring resource consumption patterns can provide additional defense-in-depth layers against similar issues.

Responsible

GitHub M

Reservation

05/13/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!