[ademarre]

> If you pickle data from an untrusted source . . . and then later unpickle it

That is not exactly right. The risk is when you unpickle data that was pickled by someone else or that was tampered with after you pickled it.

[cratermoon]

Look closer at the CWE and the linked examples: An attacker can construct a illegitimate, serialized object, like an auth token or sessionID, that instantiates one of Python's subprocesses to execute arbitrary commands

[ademarre]

That quote supports my statement. Notice that the serialized object is the thing that was constructed by the attacker, not some user data that you serialized yourself.

[cratermoon]

No the input was not serialized, it was carefully crafted so that when it gets serialized and deserialized, it triggers the malicious payload.

[ademarre]

No. That is not how it works.

https://docs.python.org/3/library/pickle.html

https://blog.nelhage.com/2011/03/exploiting-pickle/ (referenced from https://cwe.mitre.org/data/definitions/502.html#REF-467)