Summary

decode() calls pickle.loads() with zero validation whenever a msgpack payload sets kind=b'O', so any caller of unpackb() / unpack() / Unpacker will execute arbitrary code embedded in the pickle stream. The pickle reduce protocol lets a 122-byte crafted .msgpack file invoke os.system, subprocess.Popen, etc. This is the unfixed vulnerability documented in #57 and partially addressed by the unmerged #52.

This PR gates the pickle path on an explicit allow_pickle kwarg, matching numpy's own np.load(allow_pickle=...) convention:

The kwarg is threaded through decode(), all three Unpacker.__init__ branches (msgpack < 0.4 / < 1.0 / ≥ 1.0), unpack(), and unpackb(). pack() / packb() accept and discard it for symmetry.

Compatibility

This is a breaking change for callers that round-trip object-dtype ndarrays through unpackb() without specifying allow_pickle. The fix is one keyword:

arr = msgpack.unpackb(packed, allow_pickle='restricted')

Existing object-dtype callers can migrate either to 'restricted' (recommended) or to True (explicit opt-in to the legacy unrestricted path).

Tests

The existing test_numpy_array_object opts in via allow_pickle='restricted'. Five new tests cover:

• Default refusal raises ValueError with a message naming allow_pickle
• allow_pickle=True restores legacy round-trip behavior
• Hand-crafted os.system __reduce__ payload is refused with the default
• Same payload is refused by the restricted unpickler with pickle.UnpicklingError
• builtins.eval gadget is on the explicit block list
• Bad allow_pickle values raise ValueError

All 36 tests pass locally on Python 3.13 / numpy 2.4.2 / msgpack 1.1.1.

Disclosure

Filed via huntr.com on 2026-04-12 and validated by huntr triage on 2026-05-29 (CWE-502, CVSS 8.8). This PR is the proposed coordinated-disclosure fix.

Closes #57. Supersedes #52 (extends with restricted-unpickler opt-in).