← Back to feed
Update:
[HIGH] GHSA-m6xr-fvfg-5g64: Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal
GitHub Security Advisory·Security·SecurityFix·5/19/2026
### Summary `dasel`'s selector lexer enters a non-terminating loop when tokenizing an unterminated regex pattern such as `r/abc`. A 2-byte input (`r/`) is sufficient to cause the tokenizer to consume 100% CPU on one core indefinitely. I confirmed the issue on `v3.3.1` (`fba653c7f248aff10f2b89fca93
Why it matters → github.com/tomwright/dasel/v3 released an update. Review the changelog for relevant changes.
Who should care → Teams using github.com/tomwright/dasel/v3.
github.com/tomwright/dasel/v3
View original source ↗Source payload preview
{
"ghsaId": "GHSA-m6xr-fvfg-5g64",
"summary": "Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal",
"severity": "HIGH",
"updatedAt": "2026-05-19T20:09:22Z",
"references": [
{
"url": "https://github.com/TomWright/dasel/security/advisories/GHSA-m6xr-fvfg-5g64"
},
{
"url": "https://github.com/TomWright/dasel/commit/95f8dd3af12958bf6ca2a737b3ec0267280f86ed"
},
{
"url": "https://github.com/advisories/GHSA-m6xr-fvfg-5g64"
}
],
"description": "### Summary\n\n`dasel`'s selector lexer enters a non-terminating loop when tokenizing an unterminated regex pattern such as `r/abc`. A 2-byte input (`r/`) is sufficient to cause the tokenizer to consume 100% CPU on one core indefinitely.\n\nI confirmed t
…