Edit

CA2305: Do not use insecure deserializer LosFormatter

  • Article
Property Value
Rule ID CA2305
Title Do not use insecure deserializer LosFormatter
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

A System.Web.UI.LosFormatter deserialization method was called or referenced.

Rule description

Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects. An attack against an insecure deserializer could, for example, execute commands on the underlying operating system, communicate over the network, or delete files.

This rule finds System.Web.UI.LosFormatter deserialization method calls or references.

LosFormatter is insecure and can't be made secure. For more information, see the BinaryFormatter security guide.

How to fix violations

  • Use a secure serializer instead, and don't allow an attacker to specify an arbitrary type to deserialize. For more information see Preferred alternatives.
  • Make the serialized data tamper-proof. After serialization, cryptographically sign the serialized data. Before deserialization, validate the cryptographic signature. Protect the cryptographic key from being disclosed and design for key rotations.

When to suppress warnings

LosFormatter is insecure and can't be made secure.

Pseudo-code examples

Violation

using System.IO;
using System.Web.UI;

public class ExampleClass
{
    public object MyDeserialize(byte[] bytes)
    {
        LosFormatter formatter = new LosFormatter();
        return formatter.Deserialize(new MemoryStream(bytes));
    }
}

Imports System.IO
Imports System.Web.UI

Public Class ExampleClass
    Public Function MyDeserialize(bytes As Byte()) As Object
        Dim formatter As LosFormatter = New LosFormatter()
        Return formatter.Deserialize(New MemoryStream(bytes))
    End Function
End Class