CVE-2025-11683: 
Linux Debian vulnerability analysis and mitigation

YAML::Syck versions before 1.36 for Perl contains a vulnerability related to missing null-terminators which causes out-of-bounds read and potential information disclosure. The issue was discovered in October 2025 and affects the token.c component. The vulnerability is particularly evident when processing complex YAML files with a hash of all keys and empty values (NVD).

The vulnerability stems from missing null terminators in the token.c component, which leads to out-of-bounds read operations. The issue has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires adjacent network access, has low attack complexity, requires no privileges or user interaction, and can result in high confidentiality impact without affecting integrity or availability (NVD).

The vulnerability can lead to information disclosure through out-of-bounds read operations. However, there is no indication that the issue leads to accessing memory outside that allocated to the module. The impact is primarily limited to reading adjacent variables within the allocated memory space (NVD).

The vulnerability has been fixed in YAML::Syck version 1.36. Users are advised to upgrade to this version or later to address the security issue (GitHub PR).