Out-of-Bounds Read Vulnerability in Perl's YAML::Syck Affects Key Handling
CVE-2025-11683

6.5MEDIUM

Key Information:

Vendor: Toddr
Status: Yaml::syck
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-11683?

The YAML::Syck module for Perl is susceptible to an out-of-bounds read due to missing null-terminators in its token handling logic. This vulnerability potentially exposes adjacent variables when processing complex YAML files that contain hashed keys with empty values. Although the flaw does not directly indicate access to memory outside the allocated space of the module, it raises concerns about information disclosure in certain use cases. Developers utilizing YAML::Syck versions prior to 1.36 should review security implications and apply necessary updates or patches to safeguard their applications.

Affected Version(s)

YAML::Syck 0 < 1.36

References

https://github.com/cpan-authors/YAML-Syck/pull/65

patch

https://metacpan.org/dist/YAML-Syck/changes

release-notes

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 13, 2025

CVE-2025-11683 Data

JSON

Toddr

What is CVE-2025-11683?

Affected Version(s)

References

CVSS V3.1

Timeline