If you are referring to the Ruby YAML vulnerability, the problem is that the deserializer ends up calling methods on the deserialized object. This says it doesn't, it merely warns you against doing it yourself, or at least doing it carelessly.