Skip to main content

YAML::Syck CVE-2025-11683

HIGH
Buffer Overflow (CWE-119)
2026-07-17
6.5
CVSS · NVD
Share

Severity by source

NVD
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable via any app accepting untrusted YAML; no auth or config required; one-byte OOB read yields low C and low A, no integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Jul 17, 2026 - 04:02 NVD
Source Code Evidence Fetched
Jul 17, 2026 - 02:16 vuln.today
Analysis Generated
Jul 17, 2026 - 02:16 vuln.today
CVE Published
Jul 17, 2026 - 00:47 oss-security
HIGH

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Out-of-bounds memory read in YAML::Syck's bundled libsyck C library for Perl exposes any application calling Load() or LoadFile() on untrusted YAML to a one-byte heap over-read. The root flaw (CVE-2025-11683) resided in the libsyck block-scalar lexer's newline scanning logic; the patch issued for that CVE was incomplete, leaving a second lexer path uncovered - subsequently disclosed as CVE-2026-57077. Both are resolved in YAML-Syck 1.47 (released July 13, 2026). No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

YAML::Syck is a Perl YAML module that wraps a bundled copy of the libsyck C library for parsing and emitting YAML documents. The flaw is classified CWE-125 (Out-of-bounds Read) and is located in the libsyck functions newline_len and is_newline, which scan forward through the input buffer looking for newline sequences, including CRLF pairs. During block-scalar lexing at a YAML document boundary (e.g., a '|' or '>' scalar adjacent to a '---' separator), the scan dereferences both the current byte and the immediately following byte to detect CRLF pairs, but performs no NUL-terminator check and no bounds verification against the heap lexer buffer's end. The result is a single byte read past the allocated buffer on the heap. The original CVE-2025-11683 fix addressed one such code path; the residual path - now documented as CVE-2026-57077 - was not covered by that patch. The vulnerable API surface is the default YAML::Syck::Load() and YAML::Syck::LoadFile() functions, which are the standard entry points for virtually all callers of this module.

Affected ProductsAI

YAML::Syck (YAML-Syck) for Perl, all versions before 1.47. The vulnerability resides in the bundled libsyck C library compiled as part of the XS extension and is reachable through the default YAML::Syck::Load() and YAML::Syck::LoadFile() interfaces. JSON::Syck, which shares the same libsyck backend, may also be affected on equivalent code paths. The fixed release is YAML-Syck 1.47, published July 13, 2026, documented at https://metacpan.org/release/TODDR/YAML-Syck-1.47/changes.

RemediationAI

Upgrade to YAML-Syck 1.47 or later using cpanm (run: cpanm YAML::Syck) or the CPAN shell (perl -MCPAN -e 'install YAML::Syck'). Version 1.47 resolves CVE-2026-57077 and three additional memory-safety CVEs in the same bundled libsyck code: CVE-2026-57075 (OOB read in base64 decoder), CVE-2026-57076 (use-after-free of anchor key string), and CVE-2026-13713 (use-after-free/double-free of anchor node). The upstream fix commit is at https://github.com/toddr/YAML-Syck/commit/44c90a109ec3215ee7ce747bd11209835e123d8b. If immediate upgrade is not possible, the most effective compensating control is to avoid calling Load() or LoadFile() on any externally supplied or attacker-influenced YAML; applications that process only internally generated or cryptographically signed YAML documents are not exposed to this attack path. No configuration flag or runtime option within YAML::Syck disables the vulnerable block-scalar lexer path while preserving normal YAML parsing.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2025-11683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy