28. Pickle and Serialization Risks

The pickle module can deserialize arbitrary Python objects, including executable code.

Insecure Example

import pickle
data = pickle.loads(b"cos\nsystem\n(S'rm -rf /'\ntR.")  # Code execution!

Secure Example

import json
data = json.loads('{"safe": "data"}')
print(data)

✅ Lesson: Avoid pickle for untrusted data. Use json, csv, or pydantic instead.