CVE-2025-66631

HIGH
2025-12-09 [email protected] GHSA-wq34-7f4g-953v
7.2
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
Patch Released
Mar 17, 2026 - 20:45 nvd
Patch available
CVE Published
Dec 09, 2025 - 16:18 nvd
HIGH 7.2

Tags

RCE Deserialization

Description

CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. WcfProxy uses the now-obsolete NetDataContractSerializer (NDCS) and is vulnerable to remote code execution during deserialization. This vulnerability is fixed in version 6.0.0. To workaround this issue, remove the WcfProxy in data portal configurations.

Analysis

A critical remote code execution vulnerability exists in CSLA .NET framework versions 5.5.4 and below due to insecure deserialization when using WcfProxy with the obsolete NetDataContractSerializer. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems without user interaction, potentially leading to complete system compromise. While no active exploitation has been reported in CISA KEV and no public POC is mentioned, the vulnerability's network-exposed nature and low attack complexity make it a high-priority security concern.

Technical Context

CSLA .NET is a popular business layer development framework identified by CPE cpe:2.3:a:marimer:csla_.net:*:*:*:*:*:*:*:*. The vulnerability stems from the framework's WcfProxy component utilizing NetDataContractSerializer (NDCS), a now-deprecated .NET serializer known to be vulnerable to deserialization attacks. This falls under CWE-502 (Deserialization of Untrusted Data), where untrusted input is deserialized without proper validation, allowing attackers to inject malicious serialized objects that execute code during the deserialization process. The NetDataContractSerializer was deprecated precisely because it lacks the security controls of newer serializers like DataContractSerializer.

Affected Products

CSLA .NET framework versions 5.5.4 and below are vulnerable when using the WcfProxy component, as identified through CPE cpe:2.3:a:marimer:csla_.net:*:*:*:*:*:*:*:*. The vulnerability specifically affects applications that have implemented data portal configurations using WcfProxy with NetDataContractSerializer. Version 6.0.0 and later have removed support for the vulnerable WcfProxy component entirely. Detailed information is available in the vendor's security advisory at https://github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953v.

Remediation

Upgrade CSLA .NET to version 6.0.0 or later which completely removes the vulnerable WcfProxy component, as documented in pull request https://github.com/MarimerLLC/csla/pull/4018. For systems that cannot immediately upgrade, remove WcfProxy from all data portal configurations and migrate to secure alternatives like HttpProxy or GrpcProxy. Organizations should audit their CSLA .NET implementations to identify any usage of WcfProxy and prioritize remediation based on internet exposure. Additional details on the vulnerability and migration guidance can be found at https://github.com/MarimerLLC/csla/issues/4001.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.5
CVSS: +36
POC: 0

Share

CVE-2025-66631 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy