#VU110694 Input validation error in YAML-LibYAML - CVE-2025-40908

Cybersecurity Help s.r.o.

Published: 2025-06-10

Vulnerability identifier: #VU110694

Vulnerability risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-40908

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
YAML-LibYAML
Other software / Other software solutions

Vendor: TINITA

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to insufficient validation of user-supplied input in LoadFile method. A remote attacker can pass specially crafted arguments to the affected method and overwrite arbitrary files on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

YAML-LibYAML: 0.01 - 0.902.0

External links
https://github.com/ingydotnet/yaml-libyaml-pm/issues/120
https://github.com/ingydotnet/yaml-libyaml-pm/pull/121
https://github.com/ingydotnet/yaml-libyaml-pm/pull/122

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Enterprise Linux 8 update for perl-YAML-LibYAML

Anolis OS update for perl-YAML-LibYAML

Red Hat Enterprise Linux 9 update for perl-YAML-LibYAML

Gentoo update for YAML-LibYAML

SUSE update for perl-YAML-LibYAML

openEuler update for perl-YAML-LibYAML

Improper input validation in YAML-LibYAML