EXECUTIVE SUMMARY:
CVE-2026-46378 with a CVSS score of 7.5 is a denial-of-service vulnerability in dasel, a Go package for JSONPath and XPath querying, affecting versions 3.0.0 through 3.10.0, excluding 3.10.1. The vulnerability arises from an infinite loop in the dasel selector lexer when tokenizing unterminated regex patterns, such as 'r/abc', which causes the tokenizer to consume 100% CPU on one core indefinitely. An attacker who can control or influence the selector/query string passed to dasel can exploit this vulnerability, resulting in a denial-of-service condition. The business impact of this vulnerability is significant, as it can lead to resource exhaustion and a complete failure of the affected application, potentially resulting in data loss, system downtime, and reputational damage. This vulnerability requires no prerequisites or conditions for exploitation, as manipulating the selector string is sufficient to trigger the attack.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-46378 with a CVSS score of 7.5 is a denial-of-service vulnerability in dasel, a Go package for JSONPath and XPath querying, affecting versions 3.0.0 through 3.10.0, excluding 3.10.1. The vulnerability arises from an infinite loop in the dasel selector lexer when tokenizing unterminated regex patterns, such as 'r/abc', which causes the tokenizer to consume 100% CPU on one core indefinitely. An attacker who can control or influence the selector/query string passed to dasel can exploit this vulnerability, resulting in a denial-of-service condition. The business impact of this vulnerability is significant, as it can lead to resource exhaustion and a complete failure of the affected application, potentially resulting in data loss, system downtime, and reputational damage. This vulnerability requires no prerequisites or conditions for exploitation, as manipulating the selector string is sufficient to trigger the attack.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-m6xr-fvfg-5g64