Fluid Attacks Database

Description

YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read The issue is seen with complex YAML files with a hash of all keys and empty values. There is no indication that the issue leads to accessing memory outside that allocated to the module.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	libyaml-syck-perl	=1.34-2 \|\| >=0 <1.34-2+deb12u1	1.34-2+deb12u1
debian 11	libyaml-syck-perl	=1.34-1 \|\| >=0 <1.34-1+deb11u1	1.34-1+deb11u1
debian 13	libyaml-syck-perl	=1.34-2 \|\| >=0 <1.34-2+deb13u1	1.34-2+deb13u1
debian 14	libyaml-syck-perl	=1.34-2 \|\| =1.34-3 \|\| >=0 <1.34-4	1.34-4
rpm rhel8	perl-YAML-Syck	-	-
rpm rhel7	perl-YAML-Syck	-	-
rpm rhel6	perl-YAML-Syck	-	-

Aliases

1. CVE-2025-116832. NVD-2025-116833. OSV-DEBIAN-2025-116834. OSV-2025-116835. SECURITY-TRACKER-CVE-2025-11683

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.