Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a StackOverflowException and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.
AnalysisAI
AutoMapper, a widely-used convention-based object-object mapper for .NET applications, contains a stack exhaustion vulnerability that allows remote attackers to crash applications via deeply nested object graphs. Versions prior to 15.1.1 and 16.1.1 are affected. An unauthenticated attacker can trigger a StackOverflowException by sending specially crafted nested objects, causing immediate application termination with high availability impact (CVSS 7.5).
Technical ContextAI
AutoMapper is a .NET library that automates the mapping between different object models using convention-based configuration, commonly used in enterprise applications forDTO transformations and layered architectures. The vulnerability stems from CWE-674 (Uncontrolled Recursion), where the library's recursive mapping algorithm for nested object graphs lacks default depth limits. When processing deeply nested structures, each mapping operation adds a new frame to the call stack until stack memory is exhausted, resulting in an unrecoverable StackOverflowException that terminates the entire .NET process. This affects both major version branches: the 15.x line (all versions before 15.1.1) and the 16.x line (versions 16.0.0 through 16.1.0).
RemediationAI
Immediately upgrade AutoMapper to version 15.1.1 or later for the 15.x branch, or version 16.1.1 or later for the 16.x branch. Both patched versions are available through the official NuGet package repository and GitHub releases at https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1 and https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1. The fix commit at https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816 implements default maximum depth limits for recursive mapping operations. As a temporary workaround until patching, implement input validation to reject objects exceeding reasonable nesting depths (e.g., 10-20 levels), use .NET's MaxDepth JSON serialization settings to prevent deeply nested payloads from reaching AutoMapper, or isolate mapping operations in separate AppDomains or processes with monitoring to prevent full application crashes.
Same weakness CWE-674 – Uncontrolled Recursion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13505
GHSA-rvv3-g6hj-g44x