In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. In other words, yaml.safe_load is not used.
yaml.load()
yaml.safe_load
{ "affected_functions": [ "yaml.load", "yaml.dump", "safe_dump_all", "safe_dump", "yaml.CSafeLoader", "yaml.CLoader", "yaml.CSafeDumper", "yaml.CDumper", "yaml.SafeDumper", "yaml.Dumper", "yaml.SafeLoader", "yaml.Loader" ] }