/ 
YAML-Syck-0.60
River stage three • 198 direct dependents • 950 total dependents
/ JSON::Syck
Security Advisories (2)
CVE-2025-11683 (2025-10-16)

YAML::Syck versions before 1.36 for Perl has missing null-terminators which causes out-of-bounds read and potential information disclosure Missing null terminators in token.c leads to but-of-bounds read which allows adjacent variable to be read The issue is seen with complex YAML files with a hash of all keys and empty values. There is no indication that the issue leads to accessing memory outside that allocated to the module.

CVE-2026-4177 (2026-03-16)

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

NAME

JSON::Syck - JSON is YAML

SYNOPSIS

use JSON::Syck;

my $data = JSON::Syck::Load($json);
my $json = JSON::Syck::Dump($data);

DESCRIPTION

JSON::Syck is a syck implementatoin of JSON parsing and generation. Because JSON is YAML (http://redhanded.hobix.com/inspect/yamlIsJson.html), using syck gives you the fastest and most memory efficient parser and dumper for JSON data representation.

DIFFERENCE WITH JSON

You might want to know the difference between JSON and JSON::Syck.

Since JSON is a pure-perl module and JSON::Syck is based on libsyck, JSON::Syck is supposed to be very fast and memory efficient. See chansen's benchmark table at http://idisk.mac.com/christian.hansen/Public/perl/serialize.pl

JSON.pm comes with dozens of ways to do the same thing and lots of options, while JSON::Syck doesn't. There's only Load and Dump.

Oh, and JSON::Syck doesn't use camelCase method names :-)

REFERENCES

SCALAR REFERNECE

For now, when you pass a scalar reference to JSON::Syck, it derefernces to get the actual scalar value. It means when you pass self-referencing reference, JSON::Syck goes into infinite loop. Don't do it.

If you want to serialize self refernecing stuff, you should use YAML which supports it.

SUBROUTINE REFERENCE

When you pass subroutine reference, JSON::Syck dumps it as null.

UNICODE FLAGS

By default this module doesn't touch any of Unicode flags, and assumes UTF-8 bytes to be passed and emit as an interface. However, when you set $JSON::Syck::ImplicitUnicode to 1, this module properly decodes UTF-8 binaries and sets Unicode flag everywhere, as in:

JSON (UTF-8 bytes)     => Perl (Unicode flagged)
JSON (Unicode flagged) => Perl (Unicode flagged)
Perl (UTF-8 bytes)     => JSON (Unicode flagged)
Perl (Unicode flagged) => JSON (Unicode flagged)

QUOTING

According to the JSON specification, all JSON strings are to be double-quoted. However, when embedding JavaScript in HTML attributes, it may be more convenient to use single quotes.

Set $JSON::Syck::SingleQuote to 1 will make both Dump and Load expect single-quoted string literals.

AUTHORS

Audrey Tang <cpan@audreyt.org>

Tatsuhiko Miyagawa <miyagawa@gmail.com>

This module is originally forked from Audrey Tang's excellent YAML::Syck module and 99.9% of the XS code is written by Audrey.

The libsyck code bundled with this module is written by why the lucky stiff, under a BSD-style license. See the COPYING file for details.

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.