Security Advisories (3)

CVE-2025-11683 (2025-10-16)

YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read The issue is seen with complex YAML files with a hash of all keys and empty values. There is no indication that the issue leads to accessing memory outside that allocated to the module.

CVE-2026-4177 (2026-03-16)

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

CVE-2026-5089 (2026-05-12)

YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer: while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.

NAME

YAML::Syck - Fast, lightweight YAML loader and dumper

VERSION

This document describes version 0.18 of YAML::Syck, released January 10, 2005.

SYNOPSIS

use YAML::Syck;

$data = Load($yaml);
$yaml = Dump($data);

DESCRIPTION

This module provides a Perl interface to the libsyck data serialization library. It exports the Dump and Load functions for converting Perl data structures to YAML strings, and the other way around.

FLAGS

$YAML::Syck::ImplicitTyping

Defaults to false. Setting this to a true value will make Load recognize various implicit types in YAML, such as unquoted true, false, as well as integers and floating-point numbers. Otherwise, only ~ is recognized to be undef.

$YAML::Syck::Headless

Defaults to false. Setting this to a true value will make Dump omit the leading ---\n marker.

CAVEATS

The current implementation bundles libsyck source code; if your system has a side-wide shared libsyck, it will not be used.

This module is not currently pluggable to the new YAML (0.50+) framework, but that's expected to change in the future.

Dumping cyclic references is currently broken.

AUTHORS

Audrey Tang <autrijus@autrijus.org>

COPYRIGHT

The libsyck code bundled with this library by why the lucky stiff, under a BSD-style license. See the COPYING file for details.

The Storable.xs code bundled with this library is written by Raphael Manfredi and maintained by perl5-porters, under the same license as Perl.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

See http://www.perl.com/perl/misc/Artistic.html

To install YAML::Syck, copy and paste the appropriate command in to your terminal.

cpanm

cpanm YAML::Syck

CPAN shell

perl -MCPAN -e shell
install YAML::Syck

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)