/ 
YAML-Syck-1.38
River stage three • 198 direct dependents • 947 total dependents
⭐ Starred 9 GitHub stars
Security Advisories (1)
CVE-2026-4177 (2026-03-16)

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

Changes for version 1.38

  • Bug Fixes
    • Fix: escape solidus (/) as \/ in JSON::Syck::Dump for XSS safety (GH #125, PR #130)
    • Fix: anchor tracking for blessed scalar refs in Dump (GH #126, PR #131)
    • Fix: prevent buffer underflow in base60 (sexagesimal) parsing (PR #133)
    • Fix: guard against NULL type from strtok in tag parsing (PR #135)
    • Fix: correct copy-paste bug in syck_seq_assign() ASSERT macros (PR #137)
  • Improvements
    • Resolve TODO tests for empty/invalid YAML to match actual behavior (GH #127, PR #129)
  • Maintenance
    • Remove dead Perl 5.6 TODOs and convert 5.8 TODO to SKIP (PR #129)
    • Add comprehensive implicit type resolution test suite (PR #137)
    • Update MANIFEST to include all unit tests
    • Clean up test names to remove unnecessary numbering

Modules

JSON::Syck
JSON is YAML (but consider using JSON::XS instead!)
YAML::Syck
Fast, lightweight YAML loader and dumper

Provides

YAML::Dumper::Syck
in lib/YAML/Dumper/Syck.pm
YAML::Loader::Syck
in lib/YAML/Loader/Syck.pm

Other files