Dasel Unbounded YAML Alias Expansion Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Dasel versions 3.0.0 prior to 3.3.1. The issue arises in the YAML reader, where the library's `UnmarshalYAML` implementation allows for unbounded recursive alias expansion. This flaw can be exploited by an attacker who supplies crafted YAML, leading to excessive CPU and memory usage. The vulnerability bypasses the alias expansion limit enforced by the go-yaml library, causing resource consumption to grow uncontrollably until the process is terminated.

Impact

Exploitation of this vulnerability causes high CPU usage and increasing memory consumption, leading to a denial-of-service condition. This behavior occurs when Dasel's YAML reader processes untrusted YAML, either through the command-line interface or as a library dependency.

Reproduction

The vulnerability can be reproduced by using Dasel's YAML reader to process a YAML document that contains a high level of aliasing. This can be done by creating a payload with multiple layers of aliases that reference each other, effectively creating an 'alias bomb'. When this payload is processed by Dasel's YAML reader, the unbounded alias expansion can be observed, causing excessive resource consumption.

Remediation

Users can upgrade to Dasel version 3.3.2, which includes a patch for this vulnerability.