Thx fpr the good read

That only works because Python is an interpreter. Won't cause a thing on Java.

Deserialization in Java requires reflection, which puts you firmly in the land of "I'm basically interpreted now". Javas serialization has basically the same set of vulnerability.

The JVM is a Java Bytecode interpreter; don't be so sure you can't make it run things.

The JRE has had arbitrary code execution attacks on serialization. The leaked classes eventually invoke a class loader and instantiate your binary code as a new java class.

Does the serialization work with bytecode though? Doesn't it stream just data members, not method implementations?