CVE-2021-29508: 
C# vulnerability analysis and mitigation

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. The vulnerability (CVE-2021-29508) affects all versions of the Wire NuGet package, a binary POCO serializer for .NET. The issue was disclosed on May 11, 2021, and affects the main Wire package as well as its fork, AkkaDotNet/Hyperion (GitHub Advisory).

The vulnerability occurs when an attacker uses a surrogate on the sender end to pass information about a different type for the receiving end, allowing the serializer to create any type on the deserializing end. This is similar to the known issue that exists for .NET BinaryFormatter. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (NVD).

The vulnerability allows attackers to execute arbitrary code through malicious deserialization. This can lead to remote code execution if a suitable gadget chain is present on the server. The issue affects all versions of Wire and its derivatives, making it a critical security concern for applications using this serialization library (GitHub Advisory).

No official patch has been released for this vulnerability. The package has been deprecated as it is legacy and is no longer maintained. Users are advised to discontinue the use of Wire and migrate to alternative serialization libraries that implement proper security controls (NuGet Package).