Currently,ast.literal_eval() documentation gives multiple security warranties:

• Safely evaluate
• This can be used forsafely evaluating strings containing Python values fromuntrusted sources

IMO that's plain wrong if you read the following RED WARNING:

It is possible tocrash the Python interpreter (...)

The documentation should be rephrased to only described the purpose of the function and make it very clear that it must NOT be used on untrusted sources.

We can follow the phrasing of the pickle documentation:https://docs.python.org/dev/library/pickle.html

The pickle module isnot secure. Only unpickle data you trust.

Linked PRs

• [3.9] gh-95588: Drop the safety claim fromast.literal_eval docs. (GH-95919) #126729