Yaml is primarily used as hierarchical config format because JSON and XML are too verbose for a human editor.

Exactly. The people loading up a YAML library and using it that way may have no idea its a potential remote code execution vector into their application.

Luckily, for those that do know what they're doing, it's simple enough to use the yaml.safe_load function that disables support for arbitrary object instantiation.

I believe that the safe_load function only got added because of the spate of exploits that the blog post was talking about.

Its good that its been added, although it would have been better if it'd been there from the beginning and the safe version was default and you had to invoke 'unsafe_load' if you wanted complex object instantiation, to hopefully encourage even novices to think twice before doing it with tainted input.

Archived copy that can be read without JS enabled:

https://archive.is/2JGiJ

> Only it then turns out that the Ruby JSON parser … yes, you’ve guessed it … the Ruby JSON parser can instantiate complex objects too.

Huh. Where can I read more about this?

Read through it, but i wont blame language creators. Its a lot easier to point out that something is broken than to build something better.

And it's a lot easier to build a new broken thing, that to fix something broken. Which is what the creators of YAML did.