For node.js applications that parse user-supplied YAML input using the load() function from the 'js-yaml' package versions below 2.0.5, specifying a self-executing function allows us to execute arbitrary javascript code. This Metasploit module demonstrates that behavior.
cc5320d102ad2ea9d6b424995476c2aab54c6ea13234fab7e8cf266af00a87a5