### Critical Vulnerability Information #### Title - **Remote Code Execution via WcfProxy (NetDataContractSerializer)** #### Severity - **High** #### Impact - **Affected Versions:** = 6 #### Description - Versions of CSLA .NET prior to version 6 allow the use of WcfProxy. WcfProxy uses the NetDataContractSerializer (NDCS), which has known vulnerabilities that can enable remote code execution during deserialization. NDCS itself is considered obsolete, and you should avoid using WcfProxy or upgrade to CSLA 6 or higher, where this issue does not exist. #### Patch - CSLA .NET version 6 and higher do not use WCF or NetDataContractSerializer. #### Solution - If you are using a version of CSLA .NET older than version 6, you should stop using WcfProxy in your data portal configuration. Doing so avoids the use of WCF and the NetDataContractSerializer, thereby avoiding the vulnerability. #### References - **CA2310: Do not use insecure deserializer NetDataContractSerializer** #### Additional Information - **CVE ID:** CVE-2025-66631 - **Reporter:** Outurnate - **Publisher:** rockfordlhotka