CVE-2025-66631 Overview
CVE-2025-66631 is an insecure deserialization vulnerability in CSLA .NET, a framework for building reusable, object-oriented business layers. Versions 5.5.4 and below ship a WcfProxy data portal channel that relies on the obsolete NetDataContractSerializer (NDCS). Attackers can supply crafted serialized payloads to the data portal endpoint and achieve remote code execution during deserialization. The flaw is tracked under CWE-502: Deserialization of Untrusted Data. Maintainers fixed the issue in CSLA .NET version 6.0.0 by removing the vulnerable proxy.
Critical Impact
Unauthenticated attackers reaching a CSLA WcfProxy data portal can execute arbitrary code on the server hosting the business layer, compromising confidentiality, integrity, and availability of the application.
Affected Products
- CSLA .NET versions 5.5.4 and below
- Applications using WcfProxy in CSLA data portal configurations
- Server components hosting CSLA Windows Communication Foundation (WCF) endpoints
Discovery Timeline
- 2025-12-09 - CVE-2025-66631 published to the National Vulnerability Database (NVD)
- 2026-03-25 - Last updated in the NVD database
Technical Details for CVE-2025-66631
Vulnerability Analysis
CSLA .NET exposes a data portal abstraction that lets clients invoke business object operations on a remote server. The WcfProxy channel transports those calls over WCF and uses NetDataContractSerializer to serialize and deserialize the request and response graphs. Microsoft has long classified NetDataContractSerializer as unsafe because it embeds .NET type information inside the payload and rehydrates arbitrary types during deserialization.
An attacker who can reach the WCF endpoint sends a serialized object graph that references gadget types available in the server's loaded assemblies. When the server deserializes the payload, gadget chains run constructors, property setters, or IDeserializationCallback handlers that ultimately execute attacker-controlled code. Authentication is not required by the vulnerable channel, and the network attack vector makes exploitation feasible against any exposed data portal.
Root Cause
The root cause is the continued use of NetDataContractSerializer inside WcfProxy. NDCS does not constrain the set of types it will instantiate, making the deserialization step a primitive for arbitrary type construction. Combined with the WCF transport, this turns any reachable endpoint into a code execution surface.
Attack Vector
Exploitation is remote and unauthenticated when the WCF data portal is network reachable. The attacker crafts an NDCS payload containing a known .NET deserialization gadget chain, sends it to the CSLA WCF endpoint, and triggers code execution under the identity of the host process. No user interaction is required.
No verified public proof-of-concept code is available for this CVE. Technical context is documented in GitHub Issue #4001 and the GitHub Security Advisory GHSA-wq34-7f4g-953v.
Detection Methods for CVE-2025-66631
Indicators of Compromise
- Unexpected child processes spawned by the IIS or WCF host running CSLA business components, such as cmd.exe, powershell.exe, or rundll32.exe.
- Inbound traffic to CSLA WCF endpoints carrying SOAP envelopes referencing NetDataContractSerializer types or unusual xmlns namespaces for arbitrary .NET assemblies.
- New or modified files in the CSLA host application directory, especially webshells or scheduled task artifacts.
Detection Strategies
- Inspect CSLA application configuration for references to Csla.DataPortalClient.WcfProxy or WcfPortal host bindings on vulnerable versions.
- Hunt in process telemetry for the CSLA host process spawning interactive shells or scripting engines, a strong signal of post-deserialization execution.
- Review WCF request logs for oversized SOAP bodies and serialized type references outside the application's normal business object namespaces.
Monitoring Recommendations
- Enable verbose WCF tracing on data portal endpoints and forward logs to a centralized analytics platform for retention and search.
- Monitor outbound network connections from CSLA host servers for callbacks to attacker infrastructure following deserialization activity.
- Alert on changes to CSLA application binaries, configuration files, and web.config data portal sections.
How to Mitigate CVE-2025-66631
Immediate Actions Required
- Upgrade CSLA .NET to version 6.0.0 or later, which removes the vulnerable WcfProxy implementation.
- If upgrading is not immediately possible, remove WcfProxy entries from data portal client and host configurations and switch to a supported proxy such as HttpProxy.
- Restrict network access to existing CSLA WCF endpoints so only trusted application tiers can reach them.
Patch Information
The fix is shipped in CSLA .NET 6.0.0. See the merged GitHub Pull Request #4018 and the GitHub Security Advisory GHSA-wq34-7f4g-953v for the authoritative remediation guidance from the MarimerLLC maintainers.
Workarounds
- Remove WcfProxy from data portal configurations and migrate clients to HttpProxy over HTTPS with authentication.
- Place CSLA data portal endpoints behind a reverse proxy that enforces mutual TLS and IP allow-listing.
- Apply WCF message filters or IDispatchMessageInspector components that reject SOAP messages containing NetDataContractSerializer payloads until the upgrade is complete.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
