diff --git a/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py b/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py
index c25c2461ce..e15bd56ed2 100644
--- a/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py
+++ b/python/packages/azurefunctions/agent_framework_azurefunctions/_app.py
@@ -298,9 +298,9 @@ def executor_activity(inputData: str) -> str:
             if not executor:
                 raise ValueError(f"Unknown executor: {captured_executor_id}")
 
-            # Reconstruct message - deserialize_value restores the original typed objects
-            # from the encoded data (with type markers)
-            message = deserialize_value(message_data)
+            # Reconstruct message: strip untrusted pickle/type markers first
+            # (defense-in-depth), then deserialize_value restores typed objects.
+            message = deserialize_value(strip_pickle_markers(message_data))
 
             # Check if this is a HITL response message by examining source_executor_ids
             is_hitl_response = any(s.startswith(SOURCE_HITL_RESPONSE) for s in source_executor_ids)
@@ -324,7 +324,7 @@ def classify_yielded_output(executor_id: str) -> YieldOutputEventType | None:
 
                 # Deserialize shared state values to reconstruct dataclasses/Pydantic models
                 deserialized_state: dict[str, Any] = {
-                    str(k): deserialize_value(v) for k, v in shared_state_snapshot.items()
+                    str(k): deserialize_value(strip_pickle_markers(v)) for k, v in shared_state_snapshot.items()
                 }
                 original_snapshot = _create_state_snapshot(deserialized_state)
                 shared_state.import_state(deserialized_state)