CVE-2025-66631
BaseFortify
Publication date: 2025-12-09
Last updated on: 2026-03-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cslanet | csla_.net | to 6.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in CSLA .NET versions 5.5.4 and below, specifically in the WcfProxy component which uses the obsolete NetDataContractSerializer (NDCS). The issue allows remote code execution during the deserialization process, meaning an attacker could execute arbitrary code remotely by exploiting how data is deserialized. The vulnerability is fixed in version 6.0.0, and a workaround is to remove WcfProxy from data portal configurations.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on systems using vulnerable versions of CSLA .NET with WcfProxy enabled. An attacker could exploit this to run arbitrary code remotely, potentially compromising the affected system, leading to data breaches, system control loss, or further attacks within the network.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, remove the WcfProxy in data portal configurations or upgrade CSLA .NET to version 6.0.0 or later where the issue is fixed.