With the release of PowerShell Studio 2025, we updated our Windows Form generated code to remove the BinaryFormatter class when loading image data for Images, Icons, and ImageLists.
Security Risks of BinaryFormatter
The BinaryFormatter class in .NET has been a common tool for serializing and deserializing objects, but it has significant security vulnerabilities that make it unsafe for use in modern applications. It can serialize and deserialize any object, which sounds flexible but is dangerous. It does not enforce type constraints, making it susceptible to deserialization attacks. When deserializing data, BinaryFormatter does not enforce sufficient checks on the incoming data. This means that if an attacker can manipulate the serialized data, they can inject malicious objects or exploit the deserialization process to execute arbitrary code.
Microsoft marked BinaryFormatter class as obsolete in .NET 5. They recommend avoiding its use due to the inherent security risks. Starting in .NET 9, an implementation of the formatter will no longer be shipped with the runtime and will throw exceptions up on use. PowerShell 7.5 is built on .NET 9 and this change may cause problems for people using this class.
Generated Code in PowerShell Studio
In PowerShell Studio 2025, the generated Windows Form designer code will now look something like the following:
An image is still written as a Base64 string and is loaded into a MemoryStream, but it will now load images using the FromStream method of the Image class. This change will automatically apply next time a PSF file is run or exported in PowerShell Studio.
Feedback
As always, any feedback is appreciated. If you have a particular type of blog article or product feature request you would like to see, please submit your suggestions on the Wish List and Feature Requests forum or the Feature Requests page.
