YAML-Syck-1.37_01

Security Advisories (1)

CVE-2026-4177 (2026-03-16)

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

Changes for version 1.37_01

Fix: apply JSON postprocessing to JSON::Syck::DumpFile output (GH #104)
Fix: add tied-filehandle fallback to JSON::Syck::DumpFile (GH #98)
Fix: handle JSON escape sequences in SingleQuote mode Load (GH #99)
Fix: correct $SortKeys POD default from false to true (GH #100)
Fix: correct copy-paste error in Makefile.PL clean target (GH #101)
Fix: correct POD documentation errors (GH #103)
CI: add disttest job to validate MANIFEST completeness
Silence macOS compiler warnings (GH #92)
Fix DumpFile with tied filehandles (IO::String, IO::Scalar) (GH #22)
Add C23-compatible function prototypes for GCC 15 compatibility
Fix JSON::Syck::Dump to use JSON-valid \uXXXX escapes in output (GH #21)
Add LoadBytes, LoadUTF8, DumpBytes, DumpUTF8 functions (GH #51)
Fix growing !!perl/regexp objects in roundtrips (GH #43)
Fix quoted '=' being transformed into 'str' (GH #45)
Fix flow sequence comma separator not recognized without trailing space (GH #60)
Fix backslash-space escape in double-quoted YAML strings (GH #61)
Remove trailing whitespace from YAML output lines (GH #37, #38, #39)
Fix quoting of \r and \t in YAML output instead of emitting raw bytes (GH #40)
Address C-layer audit findings (GH #67)
Fix dumping strings with tabs and carriage returns as plain scalars (GH #59)
Fix dumping strings starting with '...' as unquoted plain scalars (GH #34)
Fix extra newline after empty arrays/hashes in YAML output (GH #36)
Fix JSON::Syck::Load decoding of \/ and \uXXXX escape sequences (GH #30)
Fix dumping of tied hashes (GH #31)
Fix _is_glob to recognize IO::Handle subclasses (GH #23)
Fix memory leak when dumping filehandles (RT#41199, GH #42)
Guard stdint.h include for portability (HP-UX 11.11) (GH #33)
Fix double-dash YAML parsing (RT#34073, GH #35)
Fix wide character warning in DumpFile (GH #28)
Add regression tests for magical variable dumping (GH #32)
Fix: quote strings matching YAML implicit types to prevent roundtrip failures (GH #26)
Fix inline arrays without space after comma (GH #25)
Guard stdint.h include in syck_st.h for portability (GH #24)
Update ppport.h to 3.68

Modules

JSON::Syck

JSON is YAML (but consider using JSON::XS instead!)

YAML::Syck

Fast, lightweight YAML loader and dumper

Provides

YAML::Dumper::Syck

in lib/YAML/Dumper/Syck.pm

YAML::Loader::Syck

in lib/YAML/Loader/Syck.pm

Other files

To install YAML::Syck, copy and paste the appropriate command in to your terminal.

cpanm

cpanm YAML::Syck

CPAN shell

perl -MCPAN -e shell
install YAML::Syck

For more information on module installation, please visit the detailed CPAN module installation guide.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	Go to GitHub issues (only if GitHub is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)

Changes for version 1.37_01

Modules

Provides

Other files

Module Install Instructions