diff -ur Catalyst-Action-REST-0.83.original/lib/Catalyst/Action/Deserialize/Data/Serializer.pm Catalyst-Action-REST-0.83/lib/Catalyst/Action/Deserialize/Data/Serializer.pm
--- Catalyst-Action-REST-0.83.original/lib/Catalyst/Action/Deserialize/Data/Serializer.pm	2010-02-08 22:23:31.000000000 +0000
+++ Catalyst-Action-REST-0.83/lib/Catalyst/Action/Deserialize/Data/Serializer.pm	2010-09-01 09:45:00.000000000 +0100
@@ -5,6 +5,9 @@
 
 extends 'Catalyst::Action';
 use Data::Serializer;
+use Safe;
+my $compartment = Safe->new;
+$compartment->permit_only( qw(padany null lineseq const pushmark list anonhash anonlist refgen leaveeval undef) );
 
 our $VERSION = '0.83';
 $VERSION = eval $VERSION;
@@ -34,11 +37,18 @@
             }
             close(BODY);
         }
-        my $dso = Data::Serializer->new( serializer => $serializer );
         my $rdata;
-        eval {
-            $rdata = $dso->raw_deserialize($rbody);
-        };
+        if ( $serializer eq "Data::Dumper" ) {
+            # Taken from Data::Serialize::Data::Dumper::deserialize, but run within a Safe compartment
+            my $code = $rbody =~ /^\{/ ? "+".$rbody : $rbody;
+            $rdata = $compartment->reval( $code );
+        }
+        else {
+            my $dso = Data::Serializer->new( serializer => $serializer );
+            eval {
+                $rdata = $dso->raw_deserialize($rbody);
+            };
+        }
         if ($@) {
             return $@;
         }
diff -ur Catalyst-Action-REST-0.83.original/t/data-serializer.t Catalyst-Action-REST-0.83/t/data-serializer.t
--- Catalyst-Action-REST-0.83.original/t/data-serializer.t	2009-07-28 09:36:19.000000000 +0100
+++ Catalyst-Action-REST-0.83/t/data-serializer.t	2010-09-01 09:49:06.000000000 +0100
@@ -1,6 +1,6 @@
 use strict;
 use warnings;
-use Test::More tests => 29;
+use Test::More tests => 31;
 use FindBin;
 
 use lib ( "$FindBin::Bin/lib", "$FindBin::Bin/../lib" );
@@ -59,4 +59,22 @@
     }
 }
 
+{
+        my $t = Test::Rest->new( 'content_type' => 'text/x-data-dumper' );
+
+        my $post_data = "{ 'sushi' => die('hack attempt') }";
+        my $mres_post = request(
+            $t->post(
+                url  => '/monkey_put',
+                data => $post_data,
+            )
+        );
+        ok( ! $mres_post->is_success, "POST Data::Dumper fails due to invalid input" );
+        like(
+            $mres_post->content,
+            qr%Content-Type text/x-data-dumper had a problem with your request.*'die' trapped by operation mask%s,
+            "POST Data::Dumper data error matches"
+        );
+}
+
 1;