{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/panic/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dasel"],"_cs_severities":["medium"],"_cs_tags":["dos","panic","go","dasel"],"_cs_type":"advisory","_cs_vendors":["Tom Wright"],"content_html":"\u003cp\u003eThe \u003ccode\u003edasel\u003c/code\u003e library, a command-line tool and Go library for selecting and updating data structures, is vulnerable to a denial-of-service attack. Specifically, the selector lexer component within \u003ccode\u003edasel\u003c/code\u003e panics when processing a quoted string that ends with a trailing backslash. This occurs due to a missing bounds check in the escape sequence handler, leading to an index-out-of-range error when the lexer attempts to read past the end of the input string. Confirmed on versions \u003ccode\u003ev3.0.0\u003c/code\u003e and \u003ccode\u003ev3.3.1\u003c/code\u003e, this vulnerability can be triggered with a minimal 2-byte input (\u003ccode\u003e\u0026quot;\\\u003c/code\u003e or \u003ccode\u003e'\\\u003c/code\u003e). An attacker who can control the selector/query string passed to dasel can trigger a Go runtime panic, crashing the process unless the caller explicitly recovers from panics.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious input string containing a quoted string that ends with a trailing backslash (e.g., \u003ccode\u003e\u0026quot;\\\u003c/code\u003e or \u003ccode\u003e'\\\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker provides this malicious input string to an application that uses the \u003ccode\u003edasel\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe application passes the input string to the \u003ccode\u003elexer.NewTokenizer\u003c/code\u003e function to create a new tokenizer.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTokenize\u003c/code\u003e method is called on the tokenizer to lex the input string.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eparseCurRune\u003c/code\u003e function is called to parse the current rune.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eparseCurRune\u003c/code\u003e, the code detects the backslash character but does not check if it\u0026rsquo;s the last character in the input.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epos++\u003c/code\u003e increments the position beyond the end of the input.\u003c/li\u003e\n\u003cli\u003eThe subsequent \u003ccode\u003ep.src[pos]\u003c/code\u003e attempts to read past the end of the input slice, triggering a Go runtime panic and crashing the \u003ccode\u003edasel\u003c/code\u003e process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition. Any application using \u003ccode\u003edasel\u003c/code\u003e that processes attacker-controlled selector strings is susceptible to crashing. This can impact web applications using \u003ccode\u003edasel\u003c/code\u003e for dynamic querying, applications that construct selectors from user input, and shared tooling environments where selectors are passed as parameters. The severity is high because a minimal input can cause an immediate process crash.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003edasel\u003c/code\u003e that includes the fix for CVE-2026-46377 once available.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on selector strings to prevent malicious inputs containing trailing backslashes in quoted strings, mitigating the risk even without a patch.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for panic errors originating from the \u003ccode\u003edasel/selector/lexer\u003c/code\u003e package to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Dasel Trailing Backslash Panic (CVE-2026-46377)\u003c/code\u003e to identify processes that may be crashing due to this vulnerability by detecting the \u0026ldquo;index out of range\u0026rdquo; error message.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T20:11:29Z","date_published":"2026-05-19T20:11:29Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dasel-panic/","summary":"The dasel selector lexer is vulnerable to an index-out-of-range panic when tokenizing a quoted string that ends with a trailing backslash (e.g., `\"\\` or `'\\`), leading to a process crash if an attacker can control the selector string.","title":"Dasel Selector Lexer Index-Out-of-Range Panic on Trailing Backslash (CVE-2026-46377)","url":"https://feed.craftedsignal.io/briefs/2026-05-dasel-panic/"}],"language":"en","title":"CraftedSignal Threat Feed — Panic","version":"https://jsonfeed.org/version/1.1"}