CVE-2025-11683

Published: Oct 16, 2025Modified: Mar 9, 2026

6.5

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read The issue is seen with complex YAML files with a hash of all keys and empty values. There is no indication that the issue leads to accessing memory outside that allocated to the module.

Affected (1)

Products: Toddr: Yaml\

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Toddr Yaml\	Before 1.36

Related CWEs

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

References (2)

https://github.com/cpan-authors/YAML-Syck/pull/65

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

Issue Tracking

https://metacpan.org/dist/YAML-Syck/changes

Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e

ProductRelease Notes

Timeline

No history available yet.