[ademarre]

That quote supports my statement. Notice that the serialized object is the thing that was constructed by the attacker, not some user data that you serialized yourself.

[cratermoon]

No the input was not serialized, it was carefully crafted so that when it gets serialized and deserialized, it triggers the malicious payload.

[ademarre]

No. That is not how it works.

https://docs.python.org/3/library/pickle.html

https://blog.nelhage.com/2011/03/exploiting-pickle/ (referenced from https://cwe.mitre.org/data/definitions/502.html#REF-467)