CVE-2025-11683: YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure

CVE-2025-11683: YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Timothy Legge 16 Oct 2025 00:16 UTC

========================================================================
CVE-2025-11683                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2025-11683
   Distribution:  YAML-Syck
       Versions:  before 1.36

       MetaCPAN:  https://metacpan.org/dist/YAML-Syck
       VCS Repo:  https://github.com/cpan-authors/YAML-Syck

YAML::Syck versions before 1.36 for Perl has missing Null-Terminators
which causes Out-of-Bounds Read and potential Information Disclosure

Description
-----------
YAML::Syck versions before 1.36 for Perl has missing null-terminators
which causes out-of-bounds read and potential information disclosure

Missing null terminators in token.c leads to but-of-bounds read which
allows adjacent variable to be read

The issue is seen with complex YAML files with a hash of all keys and
empty values.  There is no indication that the issue leads to accessing
memory outside that allocated to the module.

Problem types
-------------
- CWE-119 Improper Restriction of Operations within the Bounds of a
   Memory Buffer

Workarounds
-----------
Apply the patch

Solutions
---------
Upgrade to version 1.36 or higher

References
----------
https://github.com/cpan-authors/YAML-Syck/pull/65
https://metacpan.org/dist/YAML-Syck/changes