diff --git a/lib/gitlab/import_export/config.rb b/lib/gitlab/import_export/config.rb
index 423e0933605eaea835d645539818350694668b1d..e1a62e3b25a59bcfbfc29dca62a8cf8e776290d8 100644
--- a/lib/gitlab/import_export/config.rb
+++ b/lib/gitlab/import_export/config.rb
@@ -52,7 +52,7 @@ def merge_ee?
       end
 
       def parse_yaml
-        YAML.load_file(@config)
+        YAML.safe_load_file(@config, aliases: true, permitted_classes: [Symbol])
       end
     end
   end
diff --git a/spec/lib/gitlab/import_export/attributes_finder_spec.rb b/spec/lib/gitlab/import_export/attributes_finder_spec.rb
index 767b7a3c84e90cc9ef5780624c4c3cdd87d9d7b9..f12cbe4f82fa58dc566c8b7527808e6680100b9f 100644
--- a/spec/lib/gitlab/import_export/attributes_finder_spec.rb
+++ b/spec/lib/gitlab/import_export/attributes_finder_spec.rb
@@ -177,7 +177,8 @@
       end
 
       def setup_yaml(hash)
-        allow(YAML).to receive(:load_file).with(test_config).and_return(hash)
+        allow(YAML).to receive(:safe_load_file)
+          .with(test_config, aliases: true, permitted_classes: [Symbol]).and_return(hash)
       end
     end
   end
diff --git a/spec/lib/gitlab/import_export/model_configuration_spec.rb b/spec/lib/gitlab/import_export/model_configuration_spec.rb
index ce965a05a32756c1a3e812988fd08dc11592997b..8e5fe96f3b4413f564043ddd7d83fc0df08b62b9 100644
--- a/spec/lib/gitlab/import_export/model_configuration_spec.rb
+++ b/spec/lib/gitlab/import_export/model_configuration_spec.rb
@@ -9,7 +9,7 @@
   include ConfigurationHelper
 
   let(:all_models_yml) { 'spec/lib/gitlab/import_export/all_models.yml' }
-  let(:all_models_hash) { YAML.load_file(all_models_yml) }
+  let(:all_models_hash) { YAML.safe_load_file(all_models_yml, aliases: true) }
   let(:current_models) { setup_models }
   let(:model_names) { relation_names_for(:project) }