CVE-2025-66631

CSLA .NET <5.5.4 - Code Injection

Title source: llm

Description

CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. WcfProxy uses the now-obsolete NetDataContractSerializer (NDCS) and is vulnerable to remote code execution during deserialization. This vulnerability is fixed in version 6.0.0. To workaround this issue, remove the WcfProxy in data portal configurations.

References (3)

[Issue Tracking] https://github.com/MarimerLLC/csla/issues/4001

[Issue Tracking] https://github.com/MarimerLLC/csla/pull/4018

[Vendor Advisory] https://github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953v

Scores

EPSS 0.0049

EPSS Percentile 65.2%

Classification

CWE

CWE-502

Status draft

Affected Products (1)

nuget/Csla < 6.0.0NuGet

Timeline

Published Dec 09, 2025

Tracked Since Feb 18, 2026