Arbitrary Code Execution
Affecting yamldotnet package, versions [,5.0.0)
yamldotnetprovides low level parsing and emitting of YAML as well as a high level object model similar to XmlDocument.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
Deserializer.Deserialize() function deserializes user-controlled types and blindly instantiates them. An attacker may send a specually crafted yaml file, which will then execute code in the context of the running process.
yamldotnet to version 5.0.0 or higher.