Open sandboxFocusImprove this doc

BinaryFormatter security

In .NET Core 3.1 BinaryFormatter, which is used for binary serialization of CLR objects, began to be considered insecure and dangerous. In .NET 5.0, BinaryFormatter started to throw an exception upon its use in ASP.NET Core applications. In .NET 8.0, more serialization-related APIs started to be obsolete and by default, BinaryFormatter is disabled (throwing exceptions) in all .NET 8.0 projects with an exception of WinForms and WPF projects. In .NET 9.0, the implementation of the BinaryFormatter class and its related types have been removed, and all members of these types now only have exception-throwing implementation.

The attack vector of this vulnerability is deserialization of data that could be manipulated by the attacker, which can result in execution of arbitrary command under credentials of the process that executed the deserialization.

Impact of vulnerability on PostSharp

PostSharp allows multiple ways to serialize aspects. The BinaryFormatter class is used if the type has the [Serializable] attribute in C#. After PostSharp 4.0, the preferred method of serialization became through [PSerializable], which results in using PortableFormatter, our own efficient and portable implementation specialized in serializing aspects.

Since PostSharp 2024.0, using [Serializable] on aspect classes will result in a build-time error LA0206.

In legacy applications that require usage of binary serialization, you can disable this error by setting PostSharpBinaryFormatterAllowed MSBuild property to true.

When building under .NET 9.0+ in PostSharp 2025.0 and later, using this setting will automatically reference the System.Runtime.Serialization.Formattters package as a build-time dependency. Additional steps must be taken to enable runtime support for aspect binary deserialization. See more in the .NET documentation.

Caution

Using PostSharpBinaryFormatterAllowed is not recommended and is unsupported.

Note

In releases before PostSharp 2024.0, using [Serializable] may result in build-time warning LA205, which can be suppressed through NoWarn MSBuild property.

Since the usage of BinaryFormatter is unsupported by Microsoft and in most projects using it would cause a runtime exception, it is recommended to use PortableFormatter for serializing aspects instead.

All aspects and types that are used for aspect serialization should use [PSerializable] instead of [Serializable].

See Also

Other Resources

Understanding Aspect Serialization
Reference

BinaryFormatter
PSerializableAttribute
BinaryFormatter serialization methods are obsolete and prohibited in ASP.NET apps
BinaryFormatter security guide