Deserialization of Untrusted Data (.NET BinaryFormatter Object Deserialization)

Description

This vulnerability occurs when a .NET application uses the BinaryFormatter class to deserialize data received from untrusted sources, such as user input or external APIs. BinaryFormatter deserialization can instantiate arbitrary .NET objects based on the serialized data stream, allowing attackers to craft malicious payloads that execute unintended code during the deserialization process. This is a critical security flaw because the deserialization mechanism trusts the type information embedded in the serialized data without proper validation.

Your application has been identified as vulnerable to .NET BinaryFormatter deserialization attacks, where user-controlled input is being deserialized without adequate security controls.

Remediation

Immediately discontinue the use of BinaryFormatter for deserializing untrusted data. Microsoft has officially deprecated BinaryFormatter due to its inherent security risks and recommends the following remediation steps:

1. Replace BinaryFormatter with secure alternatives: Use JSON serializers (System.Text.Json or Newtonsoft.Json) or XML serializers that do not support arbitrary type instantiation.

Example of secure JSON deserialization:

// Instead of BinaryFormatter
using System.Text.Json;

// Deserialize to a specific, expected type
MyDataClass data = JsonSerializer.Deserialize<MyDataClass>(jsonString);

public class SafeSerializationBinder : SerializationBinder
{
    public override Type BindToType(string assemblyName, string typeName)
    {
        // Only allow specific safe types
        if (typeName.Equals("MyNamespace.SafeClass"))
        {
            return typeof(MyNamespace.SafeClass);
        }
        throw new SerializationException("Unauthorized type");
    }
}

References

Related Vulnerabilities