Are there future plans for removing binary serialization/deserialization?

Cataldi Alessandro 0 Reputation points
2024-10-02T16:13:23.2233333+00:00

Given that starting with .NET 8 the BinaryFormatter class is being stripped away for security reasons, and considering that the package uses a BinaryWriter/Reader to serialize/deserialize object graphs, I'm assuming this suffers from the same security risks.

I'm wondering if there's any plan in terms of changing the implementation to get rid of the binary formatter or not.

I can envision plenty of apps that (wrongly) abuse session and store very complex object graphs. A different serialization mechanism could be an abrupt breaking change for those.

.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,833 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jiachen Li-MSFT 31,166 Reputation points Microsoft Vendor
    2024-10-03T02:31:50.9+00:00

    Hi @Cataldi Alessandro ,

    As a Preferred alternatives for BinaryFormatter class, currently there is no future plan for removing using a BinaryWriter/Reader to serialize/deserialize object graphs.

    Deserialization risks in use of BinaryFormatter and related types

    Best Regards.

    Jiachen Li

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.