DeepSource

According to Microsoft, BinaryFormatter deserializes data in an insecure manner and using it is "equivalent of interpreting the payload as a standalone executable and launching it". It is therefore recommended that you switch to preferred alternatives that can handle untrusted data safely such as XmlSerializer, DataContractSerializer, BinaryReader, BinaryWriter, or System.Text.Json.

Reference

XmlSerializer
DataContractSerializer
BinaryReader
BinaryWriter
System.Text.Json
OWASP Top Ten (2021) - Category A08 - Software and Data Integrity Failures
CWE-502 - Deserialization of untrusted data

C#

Binary Formatter deserializes data in an insecure manner and should not be used CS-S1006

Reference