Making, YAML::Syck and YAML::XS safer by default

Several YAML modules allow loading and dumping objects. When loading untrusted data, this can be a security vulnerability, if this feature is enabled.

You can create any kind of object with YAML. The creation itself is not the critical part, but if the class has a DESTROY method, it will be called once the object is deleted. An example with File::Temp removing files can be found here:

YAML::Syck had the option to disable this feature via $YAML::Syck::LoadBlessed for a long time. Since 2018, also and YAML::XS have this variable.

See also my blog post from 2018: Safely load untrusted YAML in Perl

In the past, this feature was enabled by default in all three modules.

This will now be disabled by default, to make sure that Perl's YAML libraries are, by default, more secure.

If you are using one of the modules to serialize/load objects, you have to set this variable now:

use YAML; # since 1.30
local $YAML::LoadBlessed = 1;

use YAML::Syck; # since 1.32
local $YAML::Syck::LoadBlessed = 1;

use YAML::XS; # since 0.81
local $YAML::XS::LoadBlessed = 1;

Always use local in a very small scope to avoid setting this variable globally.

If you are loading YAML from an untrusted source and are potentially using older versions, it's still recommended to set this variable to 0.

Note that YAML::Tiny cannot load objects at all, and YAML::PP does not load objects by default.

The modules will be released in the next hours.


We saw already some modules breaking (thanks to Slaven Rezic's tireless testing, of course!)

I added a list on Reddit


I really appreciate your enduring effort to improve the state of the YAML! Not only did you create your robust and sophisticated YAML::PP but also push the other YAML modules forward into a sensible state. Thanks for your great work in this field!

Data::Dumper and Storable have the same problem.

Leave a comment

About tinita

user-pic just another perl punk,