GHSA-wq34-7f4g-953v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wq34-7f4g-953v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-wq34-7f4g-953v/GHSA-wq34-7f4g-953v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wq34-7f4g-953v
- Aliases
- Published
- 2025-12-08T22:15:56Z
- Modified
- 2025-12-09T19:52:27.238034Z
- Severity
-
- 7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
- Summary
- Csla affected by Remote Code Execution via WcfProxy (NetDataContractSerializer)
- Details
-
Impact
Versions of CSLA .NET prior to version 6 allow the use of WcfProxy. WcfProxy uses the NetDataContractSerializer (NDCS) which has known vulnerabilities that can allow remote execution of code during deserialization. NDCS itself is considered obsolete, and you should avoid using WcfProxy or upgrade to CSLA 6 or higher where this issue does not exist.
Patches
CSLA .NET version 6 and higher do not use WCF or NetDataContractSerializer.
Workarounds
If you are using a version CSLA .NET older than version 6, you should stop using WcfProxy in your data portal configuration. Doing this avoids the use of WCF and the NetDataContractSerializer, avoiding the vulnerability.
- Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-502" ], "github_reviewed_at": "2025-12-08T22:15:56Z", "nvd_published_at": "2025-12-09T16:18:22Z", "github_reviewed": true }- References
-
- https://github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953v
- https://nvd.nist.gov/vuln/detail/CVE-2025-66631
- https://github.com/MarimerLLC/csla/issues/4001
- https://github.com/MarimerLLC/csla/pull/4018
- https://github.com/MarimerLLC/csla
- https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2310
Affected packages
NuGet / Csla
Package
- Name
- Csla
- View open source insights on deps.dev
- Purl
- pkg:nuget/Csla
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.0.0
Affected versions
5.*
5.0.0-R19052204
5.0.0-R19080501
5.0.0-R19082107
5.0.0-R19082803
5.0.0-R19090201
5.0.0-R19091001
5.0.0-R19091005
5.0.0-R19091601
5.0.0-R19091701
5.0.0
5.0.1
5.1.0-R19101002
5.1.0-R19110101
5.1.0-R19110701
5.1.0-R19122302
5.1.0-R20011901
5.1.0-R20012001
5.1.0-R20012201
5.1.0-R20020503
5.1.0-R20020701
5.1.0
5.2.0-R20040904
5.2.0-R20042401
5.2.0-R20042901
5.2.0-R20050802
5.2.0
5.3.0-R20062901
5.3.0
5.3.1-R20082601
5.3.1
5.3.2
5.4.0-R20111002
5.4.0-R20111202
5.4.0-R20113004
5.4.0
5.4.1-R21011901
5.4.1
5.4.2-R21040501
5.4.2
5.5.0-R21070101
5.5.0-R21071901
5.5.0
5.5.1-R21080301
5.5.1-R21082202
5.5.1
5.5.2-R21101501
5.5.2
5.5.3
5.5.4
6.*
6.0.0-R22020902
6.0.0-R22022201
6.0.0-R22031601
6.0.0-R22040701
6.0.0-R22042501