YamlDotNet is susceptible to remote code execution (RCE) through insecure direct object references. It can happen because the Deserializer.Deserialize()
function does not prevent deserialization of user-controlled types currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);
and create instances of (De)serializer blindly, allowing arbitrary code to be executed.