Nixpkgs security tracker
NIXPKGS-2025-0023
published on
Permalink
CVE-2025-11683
6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Adjacent (A)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Adjacent (A)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
YAML::Syck versions before 1.36 for Perl has missing Null-Terminators which causes Out-of-Bounds Read and potential Information Disclosure
YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read The issue is seen with complex YAML files with a hash of all keys and empty values. There is no indication that the issue leads to accessing memory outside that allocated to the module.
References
Affected products
YAML-Syck
- <1.36
Matching in nixpkgs
pkgs.perlPackages.YAMLSyck
Fast, lightweight YAML loader and dumper
pkgs.perl538Packages.YAMLSyck
Fast, lightweight YAML loader and dumper
pkgs.perl540Packages.YAMLSyck
Fast, lightweight YAML loader and dumper