BinaryFormatter is an insecure serializer built into the .NET Framework, that's disabled by default in ASP.NET web apps since .NET 5.0 and removed from .NET 9 onwards. Microsoft advises against its use. It serializes fields regardless of their visibility into an unspecified binary format. It supports polymorphism and cyclic object graphs.
