Microsoft has decided to remove the BinaryFormatter
from the upcoming .NET 9 open source application platform due to security concerns. In an August 28 blog post, Microsoft highlighted the risks associated with using BinaryFormatter
, stating that any deserializer method that allows input to carry information about the objects can pose a security threat. This vulnerability opens up the possibility of DDoS attacks against consuming applications.
Microsoft referenced a common weakness enumeration (CWE) definition, specifically CWE-502: Deserialization of Untrusted Data, to illustrate the issue at hand. With the goal of making it easy for users to do the right thing and difficult, if not impossible, to do the wrong thing, Microsoft opted to remove the formatter from .NET 9, set for a production release in November.
Although BinaryFormatter
was initially excluded from .NET Core 1.0, customer demand led to its reinstatement in .NET Core 2.0. Over time, there has been a gradual process of phasing out BinaryFormatter
by default in multiple project types, with the option for users to opt-in if needed for backward compatibility.