CSLA .NET is vulnerable to Remote Code Execution via WcfProxy

Vulnerability

CSLA .NET versions 5.5.4 and below expose the WcfProxy component, which relies on the now-obsolete NetDataContractSerializer (NDCS) for deserialization. NDCS is inherently insecure because it allows deserializing arbitrary types without restriction, making it a vector for remote code execution (RCE) attacks [1][2][3]. The framework's data portal configuration can invoke WcfProxy, which triggers NDCS deserialization on potentially untrusted data.

Exploitation

An attacker can craft malicious serialized data containing unexpected or dangerous types. When the CSLA framework deserializes this data using WcfProxy, the NetDataContractSerializer will instantiate the attacker's chosen types, potentially executing arbitrary code on the server or client application that performs deserialization [3]. No special authentication is required beyond access to the deserialization endpoint; the root cause is the use of an insecure deserialization primitive that does not validate or restrict incoming types.

Impact

Successful exploitation grants the attacker the ability to execute arbitrary commands in the context of the application process. This could lead to full system compromise, data exfiltration, or further lateral movement within a networked environment [1][3].

Mitigation

The vulnerability is fixed in version 6.0.0 of CSLA .NET, where the risky serialization components (NetDataContractSerializerWrapper and related binary formatter code) have been removed in favor of the safer MobileFormatter [2][4]. For users who cannot upgrade, the recommended workaround is to disable or remove WcfProxy from data portal configurations entirely [1].