Howdy, Thought I'd dive in here. Sorry that things got pointed in your direction on this. That was out of our control. Chris and I had a bunch of conversations about if we thought this was worth reporting to you when we discovered it. Perhaps we made the wrong decision, hard to say. We don't think this is a problem with the functionality in your library, instead its with the core Serialization/Deserialization logic flows. Blaming you is like blaming a library used to build a ROP chain and suggesting we brake or remove the assembly that contributes to that ROP chain.
Assuming you fix/change your code, then its just a matter of finding another similar gadget somewhere else.... Just thought i'd join in the discussion. I've joined the maillist. Thanks, Gabriel Lawrence @gebl