Gentoo: GLSA-202506-12 critical: JSON-LibJSON code execution
gentoo
June 12, 2025
A vulnerability has been discovered in YAML-LibYAML, which can lead to shell injection.
Summary
YAML-LibYAML uses the legacy '2-arg' open() call which is susceptible to
shell injection via malicious filenames.
Topics Covered
Resolution
All YAML-LibYAML users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-perl/YAML-LibYAML-0.903.0"
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-perl/YAML-LibYAML-0.903.0"
References
[ 1 ] CVE-2025-40908
https://nvd.nist.gov/vuln/detail/CVE-2025-40908
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202506-11
style>.gentoo_availability{display:block;}
Concerns
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
PREVIOUS
NEXT
Severity: Normal
Title: YAML-LibYAML: Shell injection
Date: June 12, 2025
Bugs: #949498
ID: 202506-11
Topics Covered
Background
YAML-LibYAML provides YAML Serialization using XS and libyaml for Perl.
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Affected Packages
Package Vulnerable Unaffected
--------------------- ------------ ------------
dev-perl/YAML-LibYAML < 0.903.0 >= 0.903.0
Impact
Shell injection may be used to execute arbitrary code using a malicious
filename.
Workaround
There is no known workaround at this time.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!