Deserializing a delegate object may result in remote code execution, when an attacker can control the serialized data.
Avoid deserializing delegate objects, if possible, or make sure that the serialized data cannot be controlled by an attacker.
In this example, a file stream is deserialized to a
object, using a
BinaryFormatter. The file stream is a parameter of a public
method, so depending on the calls to
InvokeSerialized, this may or may not
pose a security problem.