Vulnerability Description
CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. WcfProxy uses the now-obsolete NetDataContractSerializer (NDCS) and is vulnerable to remote code execution during deserialization. This vulnerability is fixed in version 6.0.0. To workaround this issue, remove the WcfProxy in data portal configurations.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cslanet | Csla .Net | < 6.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/MarimerLLC/csla/issues/4001Issue Tracking
- https://github.com/MarimerLLC/csla/pull/4018Issue TrackingPatch
- https://github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953vMitigationVendor Advisory
FAQ
What is CVE-2025-66631?
CVE-2025-66631 is a vulnerability with a CVSS score of 9.8 (CRITICAL). CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. WcfProxy uses the now-obsolete ...
How severe is CVE-2025-66631?
CVE-2025-66631 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-66631?
Check the references section above for vendor advisories and patch information. Affected products include: Cslanet Csla .Net.