CoreWCF.Primitives replay attack vulnerability in transport-security bindings

A security vulnerability in CoreWCF.Primitives allows an attacker with a captured signed SOAP envelope to replay it and invoke arbitrary operations as the victim principal for the lifetime of the signing key. The DetectReplays setting does not mitigate because the attack uses a fresh timestamp.

All users of CoreWCF.Primitives versions prior to 1.8.1 and 1.9.1 using transport-security bindings.

Upgrade to CoreWCF v1.8.1 or v1.9.1 immediately. If upgrade is not possible, ensure communication is protected by SSL/TLS to prevent envelope capture.