Panic!! At the YAML

This write-up analyzes CVE-2022-1471 in SnakeYAML — an insecure-by-default YAML deserialization issue — and demonstrates a working proof-of-concept that uses YAML tags and Java URLClassLoader/ScriptEngineFactory gadgetry to fetch a malicious .class file and achieve remote code execution; it explains payload construction, serving the gadget, and the importance of the SnakeYAML 2.0 remediation.