CVE-2025-40908: 
Linux Debian vulnerability analysis and mitigation

YAML-LibYAML prior to version 0.903.0 for Perl contains a vulnerability related to file handling. The vulnerability was discovered and reported on January 29, 2025, and was assigned CVE-2025-40908. The issue affects the YAML::XS Perl module's LoadFile functionality (GitHub Issue).

The vulnerability stems from the use of a 2-argument open function in the LoadFile functionality, which can allow existing files to be modified or truncated unintentionally. The issue occurs when untrusted filenames are processed, particularly when a filename contains special characters like '>' that can be interpreted as file operation modes. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

When exploited, this vulnerability can lead to unintended file modification or truncation of existing files on the system. If an attacker can control the filename parameter passed to the LoadFile function, they could potentially modify or destroy important files on the system (GitHub Issue).

The vulnerability has been fixed in YAML-LibYAML version 0.903.0 by implementing a 3-argument form of the open function. Users are recommended to upgrade to this version or later. Additionally, it is recommended to validate and sanitize untrusted filenames before processing them (GitHub PR).