CVE-2025-66631: Csla affected by Remote Code Execution via WcfProxy (NetDataContractSerializer)
(updated )
Versions of CSLA .NET prior to version 6 allow the use of WcfProxy. WcfProxy uses the NetDataContractSerializer (NDCS) which has known vulnerabilities that can allow remote execution of code during deserialization. NDCS itself is considered obsolete, and you should avoid using WcfProxy or upgrade to CSLA 6 or higher where this issue does not exist.
References
- github.com/MarimerLLC/csla
- github.com/MarimerLLC/csla/issues/4001
- github.com/MarimerLLC/csla/pull/4018
- github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953v
- github.com/advisories/GHSA-wq34-7f4g-953v
- learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2310
- nvd.nist.gov/vuln/detail/CVE-2025-66631
Code Behaviors & Features
Detect and mitigate CVE-2025-66631 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →