The YAML::Syck library contains a buffer underflow bug in the base60 parsing logic used by Perl. When an input string contains a colon‑separated value, the parser may decrement a pointer past the beginning of the buffer for the leftmost segment, resulting in a read one byte before the string allocation. This out‑of‑bounds read can leak arbitrary bytes of memory that are adjacent to the input, potentially exposing sensitive data such as authentication tokens or configuration values. The flaw exists in all releases of TODDR’s YAML::Syck before version 1.38 and is triggered during normal YAML parsing of external input.

The vulnerability affects the TODDR YAML::Syck package implemented in Perl. Any installation of the library with a version prior to 1.38 is susceptible. Future or newer releases (1.38 and later) are considered safe. The product is publicly available on CPAN and can be used by any Perl application that deserializes YAML data.

The severity is unclear because a CVSS score is not provided and the EPSS score is not available. The vulnerability is not currently listed in CISA’s KEV catalog, indicating that no publicly known exploit has been reported. The risk of exploitation depends on whether an attacker can supply or influence YAML input to the application. The likely attack vector is through any interface that accepts user‑supplied YAML, which could be remote or local depending on the deployment. If leveraged, the memory disclosure could aid a broader compromise by revealing credentials or internal pointers, but no direct code execution is implied by the current description.