CVE-2025-40908: 
Alma Linux vulnerability analysis and mitigation

YAML-LibYAML prior to version 0.903.0 for Perl contains a vulnerability in its LoadFile functionality that was discovered on January 29, 2025. The vulnerability affects the YAML::XS Perl module and has been assigned CVE-2025-40908. The issue has been given a CVSS v3.1 base score of 9.1 (CRITICAL) (Wiz Report).

The vulnerability stems from the use of a 2-argument open function in the LoadFile functionality of YAML-LibYAML. When processing untrusted filenames, especially those containing special characters like '>', the function can allow existing files to be modified or truncated unintentionally. The vulnerability has been assigned a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD, Wiz Report).

When exploited, this vulnerability can lead to unintended file modification or truncation of existing files on the system. If an attacker can control the filename parameter passed to the LoadFile function, they could potentially modify or destroy important files on the system (Wiz Report).

The vulnerability has been fixed in YAML-LibYAML version 0.903.0 by implementing a 3-argument form of the open function. Users are strongly recommended to upgrade to this version or later. Additionally, it is recommended to validate and sanitize untrusted filenames before processing them (GitHub PR).