Microsoft announced that it was removing the feature due to security concerns. BinaryFormatter
In the planned .NET 9 open source application platform, Microsoft has outlined the risks of using it. BinaryFormatter
In an August 28 blog post, they noted that “any deserializer, binary or text, that can pass information about the object that the input will produce is a security vulnerability.” Deserializer methods can be used as a vector for DDoS attacks against consuming apps.
The company posted a link to a Common Vulnerability Enumeration (CWE) definition that describes the issue: CWE-502: Deserialization of Untrusted Data. In deciding to remove the formatter from .NET 9, which is scheduled for production release in November, Microsoft said it strongly believes that .NET should make it easy for users to do the right thing and hard for them to do the wrong thing. The company said that releasing a technology that is widely considered unsafe goes against that goal.
BinaryFormatter
It was previously deprecated in .NET Core 1.0, but was reintroduced in .NET Core 2.0 due to customer demand. It has been on a removal path since then. BinaryFormatter
We are slowly turning this feature off by default for many project types, but provide an opt-in flag if needed for backwards compatibility.