The vulnerability description explicitly identifies GroupCoordinator.recv_object() as the vulnerable function. Both code versions (32e7db2 and v0.8.1) show it directly uses pickle.loads() on received data. CWE-502 specifically relates to deserialization of untrusted data, and the function's implementation matches this vulnerability pattern exactly. The remote code execution impact stems from this unsafe deserialization practice.