CVE-2026-32933: AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion
(updated )
AutoMapper is vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread’s stack memory, triggering a StackOverflowException and causing the entire application process to terminate.
References
- github.com/LuckyPennySoftware/AutoMapper
- github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816
- github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1
- github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1
- github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x
- github.com/advisories/GHSA-rvv3-g6hj-g44x
- nvd.nist.gov/vuln/detail/CVE-2026-32933
Code Behaviors & Features
Detect and mitigate CVE-2026-32933 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →