Because pickle is so easy to attack. It's a format that can be deserialized to pretty much any Python code, and Python can do pretty much anything, so if you unpickle a compromised payload, it's free game.

Because some people make processed data/pretrained models available online as pickle files.

It'd be nice to be able to open them without having to worry about bad actors nuking my home directory.

Pickle objects can be (almost) anything. Including arbitrary code. Now, imagine a bad actor claiming to be publishing a SOTA Random Forests model. However, embedded in their .pkl file is a statement like import shutils; shutils.rmtree(‘./’);.

Pickle will happily execute this code. There is nothing checking whether or not the pickle file is safe or not.

P.S. of course the syntax is not that simple, but I hope you get it (and I’m on mobile, yada yada…)

I have found it to be about dependance more than security. Dépendance created by pickle are rather strict. I have found it to render significant part of my work unusable when upgrading python version.

It can execute arbitrary code as others said. Other ML frameworks (TF/Keras, PyTorch) are also researching alternative solutions to this at the moment. you should never deserialize a pickle on your local unless it's made by you. pickle is made for python in general, not specifically for machine learning. this format is used to serialize sklearn models/pipelines avoiding pickle.