Deserialization of Untrusted Data
| Property | |
|---|---|
| Language | csharp |
| Severity |  |
| CWE | CWE-502: Deserialization of Untrusted Data |
| OWASP | A08:2017 - Insecure Deserialization |
| Confidence Level | High |
| Impact Level | High |
| Likelihood Level | Medium |
Description#
Using the BinaryFormatter for serialization or deserialization is unsafe because it can process malicious data in ways that allow attackers to run arbitrary code. Even if the data seems trustworthy, BinaryFormatter cannot be secured against exploitation.
Impact#
If exploited, an attacker could remotely execute code on your server or compromise sensitive data by sending crafted input to your application. This can lead to full system compromise, data breaches, and loss of control over the application environment.