CA2315Security Enabled by default: No

Do not use insecure deserializer ObjectStateFormatter

Description

Insecure deserializers are vulnerable when deserializing untrusted data. An attacker could modify the serialized data to include unexpected types to inject objects with malicious side effects.

Cause

A System.Web.UI.ObjectStateFormatter deserialization method was called or referenced.

Example

using System.IO;
using System.Web.UI;

public class ExampleClass
{
    public object MyDeserialize(byte[] bytes)
    {
        ObjectStateFormatter formatter = new ObjectStateFormatter();
        return formatter.Deserialize(new MemoryStream(bytes));
    }
}

Your vote

Join a group to vote

Group results

0 yes 0 no

ConsensusNone (disabled)

Severity preference (yes voters)

Suggestion0

Warning0

Error0