{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-11683", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2025-10-13T12:35:07.822Z", "datePublished": "2025-10-16T00:14:41.769Z", "dateUpdated": "2025-10-16T13:42:17.584Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "YAML-Syck", "product": "YAML::Syck", "programFiles": ["token.c"], "repo": "https://github.com/cpan-authors/YAML-Syck", "vendor": "TODDR", "versions": [{"lessThan": "1.36", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure<br><br>Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read<br><br>The issue is seen with complex YAML files with a hash of all keys and empty values.&nbsp; There is no indication that the issue leads to accessing memory outside that allocated to the module.<br>"}], "value": "YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure\n\nMissing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read\n\nThe issue is seen with complex YAML files with a hash of all keys and empty values.\u00a0 There is no indication that the issue leads to accessing memory outside that allocated to the module."}], "impacts": [{"capecId": "CAPEC-540", "descriptions": [{"lang": "en", "value": "CAPEC-540 Overread Buffers"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2025-10-16T00:14:41.769Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/cpan-authors/YAML-Syck/pull/65"}, {"tags": ["release-notes"], "url": "https://metacpan.org/dist/YAML-Syck/changes"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to version 1.36 or higher"}], "value": "Upgrade to version 1.36 or higher"}], "source": {"discovery": "UNKNOWN"}, "title": "YAML::Syck versions before 1.36 for Perl has missing Null-Terminators which causes Out-of-Bounds Read and potential Information Disclosure", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Apply the patch"}], "value": "Apply the patch"}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-10-16T13:41:01.868545Z", "id": "CVE-2025-11683", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T13:42:17.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-11683", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-16T13:41:01.868545Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-16T13:42:05.706Z"}}], "cna": {"title": "YAML::Syck versions before 1.36 for Perl has missing Null-Terminators which causes Out-of-Bounds Read and potential Information Disclosure", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-540", "descriptions": [{"lang": "en", "value": "CAPEC-540 Overread Buffers"}]}], "affected": [{"repo": "https://github.com/cpan-authors/YAML-Syck", "vendor": "TODDR", "product": "YAML::Syck", "versions": [{"status": "affected", "version": "0", "lessThan": "1.36", "versionType": "custom"}], "packageName": "YAML-Syck", "programFiles": ["token.c"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 1.36 or higher", "supportingMedia": [{"type": "text/html", "value": "Upgrade to version 1.36 or higher", "base64": false}]}], "references": [{"url": "https://github.com/cpan-authors/YAML-Syck/pull/65", "tags": ["patch"]}, {"url": "https://metacpan.org/dist/YAML-Syck/changes", "tags": ["release-notes"]}], "workarounds": [{"lang": "en", "value": "Apply the patch", "supportingMedia": [{"type": "text/html", "value": "Apply the patch", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure\n\nMissing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read\n\nThe issue is seen with complex YAML files with a hash of all keys and empty values.\u00a0 There is no indication that the issue leads to accessing memory outside that allocated to the module.", "supportingMedia": [{"type": "text/html", "value": "YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure<br><br>Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read<br><br>The issue is seen with complex YAML files with a hash of all keys and empty values.&nbsp; There is no indication that the issue leads to accessing memory outside that allocated to the module.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2025-10-16T00:14:41.769Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11683", "state": "PUBLISHED", "dateUpdated": "2025-10-16T13:42:17.584Z", "dateReserved": "2025-10-13T12:35:07.822Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2025-10-16T00:14:41.769Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:toddr:yaml\\:\\:syck:*:*:*:*:*:perl:*:*", "matchCriteriaId": "A2B7A1EA-2180-4708-BB3B-A14CD7F2ECF9", "versionEndExcluding": "1.36", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure\n\nMissing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read\n\nThe issue is seen with complex YAML files with a hash of all keys and empty values.\u00a0 There is no indication that the issue leads to accessing memory outside that allocated to the module."}], "id": "CVE-2025-11683", "lastModified": "2026-03-09T15:05:36.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-10-16T01:15:32.890", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Issue Tracking"], "url": "https://github.com/cpan-authors/YAML-Syck/pull/65"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product", "Release Notes"], "url": "https://metacpan.org/dist/YAML-Syck/changes"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{"bugzilla": {"description": "yaml-syck: YAML::Syck potential Information Disclosure", "id": "2404319", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404319"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-119", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-11683", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "perl-YAML-Syck", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "perl-YAML-Syck", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "perl-YAML-Syck", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2025-10-16T00:14:41Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-11683\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-11683\nhttps://github.com/cpan-authors/YAML-Syck/pull/65\nhttps://metacpan.org/dist/YAML-Syck/changes"], "threat_severity": "Moderate"}

{"created": "2025-10-21T09:40:49.646021+00:00", "updated": "2025-10-21T09:40:49.646055+00:00", "vendors": ["perl", "perl$PRODUCT$perl", "perl$PRODUCT$yaml::syck"]}