Citing a security concern, Microsoft announced it is removing the BinaryFormatter from the planned .NET 9 open source application platform. Microsoft outlined the risk of using BinaryFormatter in an August 28 blog post, stating: “Any deserializer, binary or text, that allows its input to carry information about the objects to be created is a security problem waiting to happen.” A deserializer method can be used as a vector for DDoS attacks against consuming apps.
The company post links to a common weakness enumeration (CWE) definition describing the issue: CWE-502: Deserialization of Untrusted Data. In deciding to remove the formatter from .NET 9, which is due as a production release in November, Microsoft said it strongly believes .NET should make it easy for users to do the right thing and hard if not impossible to do the wrong thing. Shipping a technology that is widely regarded as unsafe counters this goal, the company said.
BinaryFormatter was previously excluded from .NET Core 1.0 but customer demand had it reinstated in .NET Core 2.0. Since then, there has been a path to removing BinaryFormatter, slowly turning it off by default in multiple project types but offering opt-in flags if still necessary for backward compatibility.