If the library employs Python’s pickle module, it is broken. Period.

When will people learn that pickle is not suitable for this task? “Oh, it looks so easy.” “Oh, it’s so fast, just look at those objects fly.” “Oh it will core my process when handling a maliciously constructed string, there goes my server.” “Oh, it allows arbitrary code to be executed by a remote party, woops there goes my credit card database.”

Not convinced? Run this code on your computer:

import pickle
pickle.loads("cposix\nsystem\np0\n(S'cat /etc/passwd'\np1\ntp2\nRp3\n.")

Wake up. This is not news. The pickle documentation explicitly points out the fact that it is not intended to be used in this fashion (although frankly, this warning could be a little closer to the beginning of the pickle documentation). Stop doing it. Stop releasing software that does it. Just stop, already.