CVE-2025-11683
MEDIUMYAML::Syck < 1.36 - Out-of-Bounds Read via Missing Null-Terminators
Title source: llmDescription
YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read The issue is seen with complex YAML files with a hash of all keys and empty values. There is no indication that the issue leads to accessing memory outside that allocated to the module.
References (2)
Core 2
Core References
Issue Tracking patch
https://github.com/cpan-authors/YAML-Syck/pull/65
Various Sources release-notes
https://metacpan.org/dist/YAML-Syck/changes
Scores
CVSS v3
6.5
EPSS
0.0024
EPSS Percentile
15.1%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-119
Status
published
Products (1)
toddr/yaml\
< 1.36
Published
Oct 16, 2025
Tracked Since
Feb 18, 2026