Hacker News new | ask | show | jobs
by cratermoon 1405 days ago
No the input was not serialized, it was carefully crafted so that when it gets serialized and deserialized, it triggers the malicious payload.
1 comments
ademarre 1405 days ago
No. That is not how it works.

https://docs.python.org/3/library/pickle.html

https://blog.nelhage.com/2011/03/exploiting-pickle/ (referenced from https://cwe.mitre.org/data/definitions/502.html#REF-467)

link