https://feed.craftedsignal.io/products/dasel/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 19 May 2026 20:11:29 +0000https://feed.craftedsignal.io/briefs/2026-05-dasel-panic/Tue, 19 May 2026 20:11:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dasel-panic/The dasel selector lexer is vulnerable to an index-out-of-range panic when tokenizing a quoted string that ends with a trailing backslash (e.g., `"\` or `'\`), leading to a process crash if an attacker can control the selector string.The dasel library, a command-line tool and Go library for selecting and updating data structures, is vulnerable to a denial-of-service attack. Specifically, the selector lexer component within dasel panics when processing a quoted string that ends with a trailing backslash. This occurs due to a missing bounds check in the escape sequence handler, leading to an index-out-of-range error when the lexer attempts to read past the end of the input string. Confirmed on versions v3.0.0 and v3.3.1, this vulnerability can be triggered with a minimal 2-byte input ("\ or '\). An attacker who can control the selector/query string passed to dasel can trigger a Go runtime panic, crashing the process unless the caller explicitly recovers from panics.

Attack Chain

1. An attacker crafts a malicious input string containing a quoted string that ends with a trailing backslash (e.g., "\ or '\).
2. The attacker provides this malicious input string to an application that uses the dasel library.
3. The application passes the input string to the lexer.NewTokenizer function to create a new tokenizer.
4. The Tokenize method is called on the tokenizer to lex the input string.
5. The parseCurRune function is called to parse the current rune.
6. Inside parseCurRune, the code detects the backslash character but does not check if it’s the last character in the input.
7. The pos++ increments the position beyond the end of the input.
8. The subsequent p.src[pos] attempts to read past the end of the input slice, triggering a Go runtime panic and crashing the dasel process.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition. Any application using dasel that processes attacker-controlled selector strings is susceptible to crashing. This can impact web applications using dasel for dynamic querying, applications that construct selectors from user input, and shared tooling environments where selectors are passed as parameters. The severity is high because a minimal input can cause an immediate process crash.

Recommendation

• Upgrade to a patched version of dasel that includes the fix for CVE-2026-46377 once available.
• Implement input validation and sanitization on selector strings to prevent malicious inputs containing trailing backslashes in quoted strings, mitigating the risk even without a patch.
• Monitor application logs for panic errors originating from the dasel/selector/lexer package to detect potential exploitation attempts.
• Deploy the Sigma rule Detect Dasel Trailing Backslash Panic (CVE-2026-46377) to identify processes that may be crashing due to this vulnerability by detecting the “index out of range” error message.

]]>mediumadvisorydospanicgodaselhttps://feed.craftedsignal.io/briefs/2026-05-dasel-dos/Tue, 19 May 2026 20:11:16 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dasel-dos/Dasel versions 3.0.0 to 3.3.1 are vulnerable to a denial-of-service attack (CVE-2026-46378) where the selector lexer enters a non-terminating loop when tokenizing an unterminated regex pattern, causing 100% CPU usage on one core, which can be triggered by an attacker-controlled selector/query string.Dasel, a utility for selecting and modifying data structures, is susceptible to a denial-of-service vulnerability (CVE-2026-46378). This flaw resides in the selector lexer component of dasel versions 3.0.0 to 3.3.1. Specifically, the lexer enters an infinite loop when attempting to tokenize an unterminated regular expression pattern, such as r/. This causes a single CPU core to reach 100% utilization, effectively halting the processing of any further requests or operations relying on dasel. The vulnerability was confirmed on versions v3.3.1 (fba653c7f248aff10f2b89fca93929b64707dfc8) and on the master commit 0dd6132e0c58edbd9b1a5f7ffd00dfab1e6085ad, as well as v3.0.0. An attacker who can control or influence the selector/query string passed to dasel can exploit this, potentially leading to service disruption. No fix is currently available.

Attack Chain

1. An attacker crafts a malicious input string containing an unterminated regular expression pattern (e.g., r/).
2. The attacker injects this malicious input into an application that uses dasel to process data. This injection point could be a web application, a command-line tool, or any other context where dasel is used to handle user-provided selectors.
3. The dasel application receives the malicious input and passes it to the NewTokenizer function in selector/lexer/tokenize.go.
4. The tokenizer begins to parse the input string and encounters the r/ sequence.
5. The parseCurRune function invokes the matchRegexPattern closure.
6. Due to the missing closing /, the loop on line 243 of tokenize.go continues indefinitely, consuming CPU resources.
7. The affected process becomes unresponsive, leading to a denial-of-service condition.
8. The application relying on dasel functionality becomes unavailable or experiences degraded performance.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition. The affected process will consume 100% CPU on one core, rendering it unable to perform other tasks. This can impact web applications, command-line tools, and other systems that rely on dasel for data querying and modification. The severity depends on the criticality of the affected service, potentially disrupting business operations. While the proof of concept only affects one CPU core, in a containerized environment, this could trigger health checks to fail and the container to restart repeatedly.

Recommendation

• Apply a patch to dasel as soon as one becomes available from the vendor. This is the most effective way to mitigate the vulnerability.
• Implement input validation on selector strings before they are passed to dasel. Specifically, reject any selector strings that start with r/ and do not contain a closing /.
• Deploy the Sigma rule provided to detect instances where a dasel process consumes excessive CPU, indicating a potential denial-of-service attack targeting this vulnerability.
• Monitor dasel processes for unusually high CPU utilization, which can be an indicator of this vulnerability being exploited.

]]>mediumadvisorydenial-of-servicedaselCVE-2026-46378