Microsoft has announced the removal of BinaryFormatter from the upcoming .NET 9 release, citing security concerns as the primary reason behind the decision. In a blog post published on August 28, the company explained that BinaryFormatter presented a serious security risk due to its deserialization method. Specifically, the deserializer allows for the potential manipulation of the objects being created, which could make applications vulnerable to attacks, including Distributed Denial of Service (DDoS) attacks. This highlighted the inherent dangers of using deserializers that accept untrusted input, making it a critical issue for developers to address.
The company linked to a common weakness enumeration (CWE-502), which defines the deserialization of untrusted data as a security vulnerability. Microsoft emphasized its commitment to making .NET a platform that encourages secure coding practices, noting that shipping technologies deemed unsafe undermines this goal. In light of this, the removal of BinaryFormatter was seen as a necessary step to protect both developers and end-users. As .NET 9 is set for a November release, this change aligns with Microsoft’s broader strategy of promoting secure development practices by removing outdated and risky components.
BinaryFormatter had already been excluded from .NET Core 1.0 due to security concerns, but it was reintroduced in .NET Core 2.0 at the request of customers who required backward compatibility. Since then, Microsoft has worked toward phasing it out, gradually disabling it by default in various project types while still providing an opt-in flag for users who needed it. The decision to remove BinaryFormatter completely from .NET 9 marks the final step in this process, making it clear that the company is prioritizing security over compatibility with older systems.
For developers who rely on BinaryFormatter, Microsoft has provided two options: migrate to safer alternatives or continue using it by depending on the unsupported System.Runtime.Serialization.Formatters NuGet package. A migration guide has been made available to help users transition away from BinaryFormatter, with recommendations for alternative serialization methods. Microsoft also advised that future code should avoid using BinaryFormatter altogether, and developers should explore other safer serialization options for their applications. For those who only need to read data serialized with BinaryFormatter but do not control the serialization process, Microsoft suggested simply reading the payload without deserialization to mitigate the security risks.