{"id":"CVE-2026-46378","summary":"Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal","details":"Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the selector lexer matchRegexPattern closure in (*Tokenizer).parseCurRune in selector/lexer/tokenize.go loops while tokenizing an unterminated regex literal such as r/ because peekRuneEqual returns false after the end of input, allowing attacker-controlled selector strings to consume CPU indefinitely. This issue is fixed in version 3.10.1.","aliases":["GHSA-m6xr-fvfg-5g64","GO-2026-5493"],"modified":"2026-07-17T03:45:42.972714797Z","published":"2026-07-16T17:54:51.705Z","related":["CGA-3893-p8h8-xvp4"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46378.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-835"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46378.json"},{"type":"FIX","url":"https://github.com/TomWright/dasel/commit/95f8dd3af12958bf6ca2a737b3ec0267280f86ed"},{"type":"ADVISORY","url":"https://github.com/TomWright/dasel/security/advisories/GHSA-m6xr-fvfg-5g64"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46378"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tomwright/dasel","events":[{"introduced":"648f83baf070d9e00db8ff312febef857ec090a3"},{"fixed":"e3c6663d78c62f69579d8f9afd00453dc3d01c29"}],"database_specific":{"extracted_events":[{"introduced":"3.0.0"},{"fixed":"3.10.1"}],"source":"AFFECTED_FIELD"}}],"versions":["v3.10.0","v3.9.0","v3.8.1","v3.8.0","v3.7.0","v3.6.0","v3.5.0","v3.4.1","v3.4.0","v3.3.2","v3.3.1","v3.3.0","v3.2.3","v3.2.2","v3.2.1","v3.2.0","v3.1.4","v3.1.3","v3.1.2","v3.1.1","v3.1.0","v3.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46378.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}