Passing untrusted format strings to String.Format can throw exceptions and cause a denial of service. For example, if the format string references a missing argument, or an argument of the wrong type, then System.FormatException is thrown.

Use a string literal for the format string to prevent the possibility of data flow from an untrusted source. This also helps to prevent errors where the arguments to String.Format do not match the format string.

If the format string cannot be constant, ensure that it comes from a secure data source or is compiled into the source code.

In this example, the format string is read from an HTTP request, which could cause the application to crash.

OWASP: Format string attack.

Microsoft docs: String.Format Method