CVE-2025-66631 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-66631

CVE-2025-66631

December 09, 2025

CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. WcfProxy uses the now-obsolete NetDataContractSerializer (NDCS) and is vulnerable to remote code execution during deserialization. This vulnerability is fixed in version 6.0.0. To workaround this issue, remove the WcfProxy in data portal configurations.

Affected Packages

csla (NUGET):

Affected version(s) >=5.0.0 <6.0.0

Fix Suggestion:

Update to version 6.0.0

Related Resources (6)

https://github.com/MarimerLLC/csla

https://github.com/MarimerLLC/csla/issues/4001

https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2310

https://github.com/MarimerLLC/csla/pull/4018

https://nvd.nist.gov/vuln/detail/CVE-2025-66631

https://github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953v

Do you need more information?

CVSS v4

Base Score:

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

PRESENT

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

Exploit Maturity

UNREPORTED

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

EPSS

Base Score:

0.49

Products

Solutions

Resources

Company

Compare

Developer Tools