Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-46378— Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal

CVSS 6.2 · Medium EPSS 0.11% · P2

Possible ATT&CK Techniques 1AI

T1496 · Resource Hijacking

Affected Version Matrix 1

VendorProductVersion RangeStatus
TomWrightdasel>= 3.0.0, < 3.10.1affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46378

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal
Source: NVD (National Vulnerability Database)
Vulnerability Description
Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the selector lexer matchRegexPattern closure in (*Tokenizer).parseCurRune in selector/lexer/tokenize.go loops while tokenizing an unterminated regex literal such as r/ because peekRuneEqual returns false after the end of input, allowing attacker-controlled selector strings to consume CPU indefinitely. This issue is fixed in version 3.10.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不可达退出条件的循环(无限循环)
Source: NVD (National Vulnerability Database)
Vulnerability Title
tomwright dasel 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
tomwright dasel是tomwright个人开发者开源的一个命令行数据查询与转换工具。 tomwright dasel 3.0.0版本至3.10.1之前版本存在资源管理错误漏洞,该漏洞源于selector lexer中matchRegexPattern闭包在解析未终止的正则表达式时循环,导致攻击者控制的字符串消耗CPU资源,造成拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
TomWrightdasel >= 3.0.0, < 3.10.1 -

II. Public POCs for CVE-2026-46378

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46378

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46378 (1)

Vendor Advisories for CVE-2026-46378 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-46378

No comments yet


Leave a comment