Microsoft has announced that it will remove the BinaryFormatter from .NET 9, citing significant security risks associated with its use. In a blog post on August 28, Microsoft outlined the dangers of BinaryFormatter, highlighting how deserializer methods that allow input to dictate the objects created can open the door to security vulnerabilities. Specifically, such deserialization methods can become vectors for distributed denial-of-service (DDoS) attacks on applications that consume them. The company emphasized that allowing unsafe practices like this goes against the goal of making secure development practices the default for .NET users.
The issue is linked to a common vulnerability known as CWE-502: Deserialization of Untrusted Data, which describes how untrusted input can cause unexpected behavior when deserialized. In response to this, Microsoft made the decision to remove BinaryFormatter from .NET 9, a move that aligns with the company’s ongoing efforts to create a more secure and developer-friendly platform. By eliminating potentially dangerous features, Microsoft aims to make it easier for developers to follow best practices while making it difficult, if not impossible, to accidentally use insecure technologies.
BinaryFormatter had been removed from .NET Core 1.0 due to similar concerns but was reinstated in .NET Core 2.0 in response to customer demand. Since then, Microsoft has been gradually deprecating its use, turning it off by default in several project types while still offering opt-in flags for those needing backward compatibility. The full removal from .NET 9 marks a decisive step toward eliminating the formatter entirely. Microsoft encourages developers to migrate away from BinaryFormatter and offers a migration guide to help transition to safer alternatives.
For those still dependent on BinaryFormatter, Microsoft offers two options: either migrate away from it or continue using it through the unsupported System.Runtime.Serialization.Formatters NuGet package. The company has removed all remaining in-box dependencies on BinaryFormatter, replacing it with safer implementations. Going forward, Microsoft advises developers to avoid introducing new code that relies on BinaryFormatter and to explore alternative serialization methods for existing code. For users who are only performing serialization without controlling the deserialization process, Microsoft suggests considering options that only read the BinaryFormatter payload without actually deserializing it, further enhancing security.