Case 60970

Case 60970


Privilege escalation vulnerabilities due to the use of YAML::Syck for serialization

Security Rating

cPanel has assigned a Security Level of “Important” to this vulnerability.


The Perl YAML::Syck module provides support for serialization and deserialization of data structures using the YAML format. In cPanel & WHM this functionality is used for storing human readable configuration files and some interprocess communication. In some areas the use of YAML crosses privilege separation boundaries.

The version of YAML::Syck used in previous releases of cPanel & WHM allowed serialized data to be blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.

This vulnerability was discovered by the cPanel Quality Assurance Team.


This issue is resolved in the following builds:

* and greater
* and greater
* and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at