{
  "threat_severity" : "Important",
  "public_date" : "2025-06-01T13:41:48Z",
  "bugzilla" : {
    "description" : "yaml-libyaml: LibYAML Perl File Modification Vulnerability",
    "id" : "2369630",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2369630"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-552",
  "details" : [ "YAML-LibYAML prior to 0.903.0 for Perl uses 2-args open, allowing existing files to be modified", "A flaw was found in yaml-libyaml. The component uses a two-argument `open` function when parsing YAML files, which allows an attacker to modify existing files on the system. This flaw allows a local attacker to provide a crafted YAML file as input. This issue can result in unauthorized modification of files." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-06-23T00:00:00Z",
    "advisory" : "RHSA-2025:9329",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::crb",
    "package" : "perl-YAML-LibYAML-1:0.70-2.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-06-23T00:00:00Z",
    "advisory" : "RHSA-2025:9330",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9::crb",
    "package" : "perl-YAML-LibYAML-1:0.82-6.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-06-23T00:00:00Z",
    "advisory" : "RHSA-2025:9338",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4::crb",
    "package" : "perl-YAML-LibYAML-1:0.82-6.el9_4.1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-40908\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-40908\nhttps://github.com/ingydotnet/yaml-libyaml-pm/issues/120\nhttps://github.com/ingydotnet/yaml-libyaml-pm/pull/121\nhttps://github.com/ingydotnet/yaml-libyaml-pm/pull/122" ],
  "name" : "CVE-2025-40908",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}