CVE-2025-40908: YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified

CVE-2025-40908: YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified Timothy Legge 01 Jun 2025 16:41 UTC

========================================================================
CVE-2025-40908                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2025-40908
  Distribution:  YAML-LibYAML
      Versions:  before 0.903.0

      MetaCPAN:  https://metacpan.org/dist/YAML-LibYAML
      VCS Repo:  https://github.com/ingydotnet/yaml-libyaml-pm

YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing
existing files to be modified

Description
-----------
YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing
existing files to be modified

Problem types
-------------
CWE-552 Files or Directories Accessible to External Parties

Impacts
-------
CAPEC-23 File Content Injection

References
----------
https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
https://github.com/ingydotnet/yaml-libyaml-pm/pull/121
https://github.com/ingydotnet/yaml-libyaml-pm/pull/122

Credits
-------
@shlomif (Shlomi Fish), finder