CVE-2026-32933
HIGH
7,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Description
AI Translation Available
AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.
674
Uncontrolled Recursion
DraftCommon Consequences
Security Scopes Affected:
Availability
Confidentiality
Potential Impacts:
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Read Application Data
Applicable Platforms
All platforms may be affected
https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e…
https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1
https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1
https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-…