Changes to BinaryFormatter in .NET 9

Welcome back to our newsletter!

This week, we will be covering the removal of BinaryFormatter from .NET 9.

While this update has sparked some concerns within .NET community, this article aims to provide guidance on how to mitigate its impact on your code moving forward.

Let`s dive in!

Starting with .NET 9, the runtime no longer includes an implementation of BinaryFormatter . While the APIs are still present, any attempt to use them will now throw an exception.

This change does not affect the .NET Framework , but developers are encouraged to migrate away from BinaryFormatter due to security concerns.

what does this mean???

If you use BinaryFormatter in .NET 9, there are two options to proceed:

1. Migrate Away from BinaryFormatter: Microsoft strongly recommends migrating to safer alternatives. The BinaryFormatter Migration Guide offers several options, including JSON or XML serialisation. For binary needs, serializers like MessagePack or Protocol Buffers are suggested.
2. Use BinaryFormatter Compatibility Package: For those who need to continue using BinaryFormatter, you can rely on the unsupported System.Runtime.Serialization.Formatters NuGet package. However, it restores legacy functionality with known vulnerabilities.

what should you do? ??

1) Migrate Away from BinaryFormatter

Microsoft advises moving to more secure alternatives. Some options include:

• JSON using System.Text.Json
• XML using DataContractSerializer
• Binary formats like MessagePack or Protocol Buffers

If you’re using [Serializable] or ISerializable attributes, DataContractSerializer offers a straightforward migration path.

2) Use BinaryFormatter Compatibility Package

If migration isn’t possible right now, you can continue using BinaryFormatter by installing the unsupported System.Runtime.Serialization.Formatters NuGet package. This restores legacy functionality, but keep in mind it retains all known vulnerabilities.

Example configuration:

<PropertyGroup>
  <TargetFramework>net9.0</TargetFramework>
  <EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization>
</PropertyGroup>

<ItemGroup>
  <PackageReference Include="System.Runtime.Serialization.Formatters" Version="9.0.0" />
</ItemGroup>        

why was BinaryFormatter removed?

The primary concern is security. BinaryFormatter has been flagged as a risk due to its ability to deserialise untrusted data, leading to potential vulnerabilities (CWE-502). Microsoft has been gradually removing support for BinaryFormatter since .NET Core 1.0, and .NET 9 marks its full removal.

handling existing BinaryFormatter payloads

If you only need to read existing BinaryFormatter data, without deserialising it, you can use the NrbfDecoder to safely inspect payloads.

Example of reading a BinaryFormatter payload:

using System.Formats.Nrbf;

void Read(Stream payload)
{
    SerializationRecord rootObject = NrbfDecoder.Decode(payload);

    if (rootObject is PrimitiveTypeRecord primitiveRecord)
    {
        Console.WriteLine($"It was a primitive value: '{primitiveRecord.Value}'");
    }
    else if (rootObject is ClassRecord classRecord)
    {
        Console.WriteLine($"It was a class record of '{classRecord.TypeName.AssemblyQualifiedName}' type name.");
    }
}        

to recap

The removal of BinaryFormatter in .NET 9 is part of a broader push to enhance security in .NET according to the .NET team at Microsoft. Migrating to safer alternatives is strongly encouraged, though the compatibility package is available as a temporary stopgap.

Microsoft suggest to prioritise secure data handling and future-proof your applications by adopting modern serialisation methods.

?? Hot .NET Jobs by develop ??

Senior Software Engineer - Remote/Cambridge

Software Engineer - Cambridge

Lead Software Engineer - Cardiff/Remote

.NET Developer - Bedfordshire

See More

Are you following us?

Click here to be the first to get our updates!