Skip to main content

Automapper CVE-2026-32933

| EUVDEUVD-2026-13505 HIGH
Uncontrolled Recursion (CWE-674)
2026-03-20 security-advisories@github.com GHSA-rvv3-g6hj-g44x
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13505
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 03:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a StackOverflowException and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.

AnalysisAI

AutoMapper, a widely-used convention-based object-object mapper for .NET applications, contains a stack exhaustion vulnerability that allows remote attackers to crash applications via deeply nested object graphs. Versions prior to 15.1.1 and 16.1.1 are affected. An unauthenticated attacker can trigger a StackOverflowException by sending specially crafted nested objects, causing immediate application termination with high availability impact (CVSS 7.5).

Technical ContextAI

AutoMapper is a .NET library that automates the mapping between different object models using convention-based configuration, commonly used in enterprise applications forDTO transformations and layered architectures. The vulnerability stems from CWE-674 (Uncontrolled Recursion), where the library's recursive mapping algorithm for nested object graphs lacks default depth limits. When processing deeply nested structures, each mapping operation adds a new frame to the call stack until stack memory is exhausted, resulting in an unrecoverable StackOverflowException that terminates the entire .NET process. This affects both major version branches: the 15.x line (all versions before 15.1.1) and the 16.x line (versions 16.0.0 through 16.1.0).

RemediationAI

Immediately upgrade AutoMapper to version 15.1.1 or later for the 15.x branch, or version 16.1.1 or later for the 16.x branch. Both patched versions are available through the official NuGet package repository and GitHub releases at https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1 and https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1. The fix commit at https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816 implements default maximum depth limits for recursive mapping operations. As a temporary workaround until patching, implement input validation to reject objects exceeding reasonable nesting depths (e.g., 10-20 levels), use .NET's MaxDepth JSON serialization settings to prevent deeply nested payloads from reaching AutoMapper, or isolate mapping operations in separate AppDomains or processes with monitoring to prevent full application crashes.

Share

CVE-2026-32933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy