CVE-2025-40908

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions

YAML-LibYAML versions prior to 0.903.0

Description

YAML-LibYAML uses a two-argument open function when parsing YAML files, which allows an attacker to modify existing files on the system. This flaw allows a local attacker to provide a crafted YAML file as input, resulting in unauthorized file modification.

Recommendations

Update YAML-LibYAML to version 0.903.0 or later. Run sudo pro fix USN-7632-1 to apply the fix. Update to package version libyaml-libyaml-perl - 0.89+ds-1ubuntu0.24.04.1.

Exploit

Fix

RCE

Files Accessible to External Parties

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-552

Related Identifiers

ALSA-2025:9329

ALSA-2025:9330

AZL-62242

AZL-62279

BDU:2025-08363

CESA-2025_9329

CVE-2025-40908

INFSA-2025_9329

INFSA-2025_9330

MGASA-2025-0275

OESA-2025-1591

OPENSUSE-SU-2025:15261-1

RHSA-2025:9329

RHSA-2025:9330

RHSA-2025:9338

RHSA-2025_9329

RHSA-2025_9330

SUSE-RU-2025:03081-1

SUSE-SU-2025:01885-1

SUSE-SU-2025:01885-2

SUSE-SU-2025:01886-1

SUSE-SU-2025_01885-1

SUSE-SU-2025_01885-2

SUSE-SU-2025_01886-1

USN-7632-1

Affected Products

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Yaml::Libyaml

CVE-2025-40908

Weakness Enumeration

Related Identifiers

Affected Products

References · 67