BinaryFormatter serialization methods are obsolete and prohibited in ASP.NET apps

Serialize and Deserialize methods on BinaryFormatter, Formatter, and IFormatter are now obsolete as warning. Additionally, BinaryFormatter serialization is prohibited by default for ASP.NET apps.

Change description

Due to security vulnerabilities in BinaryFormatter, the following methods are now obsolete and produce a compile-time warning with ID SYSLIB0011. Additionally, in ASP.NET Core 5.0 and later apps, they will throw a NotSupportedException, unless the web app has re-enabled BinaryFormatter functionality.

The following serialization methods are also obsolete and produce warning SYSLIB0011, but have no behavioral changes:

Version introduced

5.0

Reason for change

These methods are marked obsolete as part of an effort to wind down usage of BinaryFormatter within the .NET ecosystem.

  • Stop using BinaryFormatter in your code. Instead, consider using JsonSerializer or XmlSerializer. For more information, see BinaryFormatter security guide.

  • You can temporarily suppress the BinaryFormatter compile-time warning, which is SYSLIB0011. We recommend that you thoroughly assess your code for risks before choosing this option. The easiest way to suppress the warnings is to surround the individual call site with #pragma directives.

    // Now read the purchase order back from disk
    using (var readStream = new FileStream("myfile.bin", FileMode.Open))
    {
        var formatter = new BinaryFormatter();
    #pragma warning disable SYSLIB0011
        return (PurchaseOrder)formatter.Deserialize(readStream);
    #pragma warning restore SYSLIB0011
    }
    

    You can also suppress the warning in the project file.

    <PropertyGroup>
      <OutputType>Exe</OutputType>
      <TargetFramework>net5.0</TargetFramework>
      <!-- Disable "BinaryFormatter is obsolete" warnings for entire project -->
      <NoWarn>$(NoWarn);SYSLIB0011</NoWarn>
    </PropertyGroup>
    

    If you suppress the warning in the project file, the warning is suppressed for all code files in the project. Suppressing SYSLIB0011 does not suppress warnings caused by using other obsolete APIs.

  • To continue using BinaryFormatter in ASP.NET apps, you can re-enable it in the project file. However, it's strongly recommended not to do this. For more information, see BinaryFormatter security guide.

    <PropertyGroup>
      <TargetFramework>net5.0</TargetFramework>
      <!-- Warning: Setting the following switch is *NOT* recommended in web apps. -->
      <EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization>
    </PropertyGroup>
    

For more information about recommended actions, see Resolving BinaryFormatter obsoletion and disablement errors.

Affected APIs