Csla affected by Remote Code Execution via WcfProxy (NetDataContractSerializer)
GHSA-wq34-7f4g-953v · CVE-2025-66631
Published · Modified
Description
Impact
Versions of CSLA .NET prior to version 6 allow the use of WcfProxy. WcfProxy uses the NetDataContractSerializer (NDCS) which has known vulnerabilities that can allow remote execution of code during deserialization. NDCS itself is considered obsolete, and you should avoid using WcfProxy or upgrade to CSLA 6 or higher where this issue does not exist.
Patches
CSLA .NET version 6 and higher do not use WCF or NetDataContractSerializer.
Workarounds
If you are using a version CSLA .NET older than version 6, you should stop using WcfProxy in your data portal configuration. Doing this avoids the use of WCF and the NetDataContractSerializer, avoiding the vulnerability.
References
- WEB https://github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953v
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-66631
- WEB https://github.com/MarimerLLC/csla/issues/4001
- WEB https://github.com/MarimerLLC/csla/pull/4018
- PACKAGE https://github.com/MarimerLLC/csla
- WEB https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2310
Ready to move
Start Securing
Free, no credit card | First findings in minutes