Why is this any different from normal data ?


Conventional application data is usually available for 
inspection before any use is made of it.

In the process of deserialization the application is generally 
presented with a fully formed new object directly without 
the possibility of the application examining the data from 
which it is created.

The attributes of the object can be subverted to perform 
a potentially harmful action before the application has had an opportunity to examine the object.