VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
vcrpy deserializes YAML cassette files with PyYAML's object-constructing loader (yaml.CLoader / yaml.Loader) instead of the safe loader (yaml.CSafeLoader / yaml.SafeLoader). A cassette containing a !!python/object/apply: (or similar) tag therefore executes arbitrary Python code the moment the cassette is loaded — including through the normal VCR().use_cassette() path, before any HTTP interaction is replayed. This is not limited to environments lacking the libYAML C extension. CLoader uses the C parser but PyYAML's …