CVE-2025-66631
🟠 Łataj w tym tygodniu
Wykorzystanie WcfProxy w CSLA .NET umożliwia zdalne wykonanie kodu przez podatność w deserializacji.
CVSS
9.8
EPSS
1.0%
Exploit
none
Vendor
cslanet
Opis źródłowy (NVD)
CSLA .NET is a framework designed for the development of reusable, object-oriented business layers for applications. Versions 5.5.4 and below allow the use of WcfProxy. WcfProxy uses the now-obsolete NetDataContractSerializer (NDCS) and is vulnerable to remote code execution during deserialization. This vulnerability is fixed in version 6.0.0. To workaround this issue, remove the WcfProxy in data portal configurations.
deserialization rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 1.0% |
| Opublikowano (NVD) | 2025-12-09 16:18:22 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-25 19:09:54 UTC |
Referencje
- https://github.com/MarimerLLC/csla/issues/4001 (security-advisories@github.com) [Issue Tracking]
- https://github.com/MarimerLLC/csla/pull/4018 (security-advisories@github.com) [Issue Tracking, Patch]
- https://github.com/MarimerLLC/csla/security/advisories/GHSA-wq34-7f4g-953v (security-advisories@github.com) [Mitigation, Vendor Advisory]