YAML::Syck CVE-2025-11683
HIGHSeverity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable via any app accepting untrusted YAML; no auth or config required; one-byte OOB read yields low C and low A, no integrity impact.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description PRE-NVD
AnalysisAI
Out-of-bounds memory read in YAML::Syck's bundled libsyck C library for Perl exposes any application calling Load() or LoadFile() on untrusted YAML to a one-byte heap over-read. The root flaw (CVE-2025-11683) resided in the libsyck block-scalar lexer's newline scanning logic; the patch issued for that CVE was incomplete, leaving a second lexer path uncovered - subsequently disclosed as CVE-2026-57077. Both are resolved in YAML-Syck 1.47 (released July 13, 2026). No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
YAML::Syck is a Perl YAML module that wraps a bundled copy of the libsyck C library for parsing and emitting YAML documents. The flaw is classified CWE-125 (Out-of-bounds Read) and is located in the libsyck functions newline_len and is_newline, which scan forward through the input buffer looking for newline sequences, including CRLF pairs. During block-scalar lexing at a YAML document boundary (e.g., a '|' or '>' scalar adjacent to a '---' separator), the scan dereferences both the current byte and the immediately following byte to detect CRLF pairs, but performs no NUL-terminator check and no bounds verification against the heap lexer buffer's end. The result is a single byte read past the allocated buffer on the heap. The original CVE-2025-11683 fix addressed one such code path; the residual path - now documented as CVE-2026-57077 - was not covered by that patch. The vulnerable API surface is the default YAML::Syck::Load() and YAML::Syck::LoadFile() functions, which are the standard entry points for virtually all callers of this module.
Affected ProductsAI
YAML::Syck (YAML-Syck) for Perl, all versions before 1.47. The vulnerability resides in the bundled libsyck C library compiled as part of the XS extension and is reachable through the default YAML::Syck::Load() and YAML::Syck::LoadFile() interfaces. JSON::Syck, which shares the same libsyck backend, may also be affected on equivalent code paths. The fixed release is YAML-Syck 1.47, published July 13, 2026, documented at https://metacpan.org/release/TODDR/YAML-Syck-1.47/changes.
RemediationAI
Upgrade to YAML-Syck 1.47 or later using cpanm (run: cpanm YAML::Syck) or the CPAN shell (perl -MCPAN -e 'install YAML::Syck'). Version 1.47 resolves CVE-2026-57077 and three additional memory-safety CVEs in the same bundled libsyck code: CVE-2026-57075 (OOB read in base64 decoder), CVE-2026-57076 (use-after-free of anchor key string), and CVE-2026-13713 (use-after-free/double-free of anchor node). The upstream fix commit is at https://github.com/toddr/YAML-Syck/commit/44c90a109ec3215ee7ce747bd11209835e123d8b. If immediate upgrade is not possible, the most effective compensating control is to avoid calling Load() or LoadFile() on any externally supplied or attacker-influenced YAML; applications that process only internally generated or cryptographically signed YAML documents are not exposed to this attack path. No configuration flag or runtime option within YAML::Syck disables the vulnerable block-scalar lexer path while preserving normal YAML parsing.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today