Unsafe yaml load can lead to remote code execution

TL;DR Yaml.load() has the ability to construct an arbitrary Python object. This is dangerous if you receive a YAML document from an untrusted source. Proof of concept https://github.com/liberapay/liberapay.com/blob/master/liberapay/testing/vcr.py#L40 How do I fix it? Always use yaml.safe_load(). This function limits this ability to simple Python objects like integers or lists. If you have any questions please comment on the report best regards mrrobot2050 ## Impact Yaml.load() has the ability to construct an arbitrary Python object. This is dangerous if you receive a YAML document from an untrusted source.