jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function.
Contrary to the CVE description I've tested 1.4.2 and it's vulnerable too. Unfortunately upstream doesn't think this is an issue and just suggests only deserializing trusted data.
So what am I supposed to do about it?
(In reply to Michał Górny from comment #1)
> So what am I supposed to do about it?
Nothing for you to do that I can see
In general, there’s nothing we can do for “untrusted pickling”. You shouldn’t do it and it’s documented everywhere, including on jsonpickle’s front page. It shouldn’t have received a CVE unless there’s folks actually doing it - which would be a bug in the consumers.