Description
AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

AutoMapper, a popular .NET object‑to‑object mapping library, uses recursive method calls when handling instance graphs. In versions prior to 15.1.1 and 16.1.1 no maximum depth is enforced, allowing an attacker to supply an object graph with arbitrarily deep nesting. The resulting deep recursion exhausts the thread stack, meaning a StackOverflowException is thrown and the application process terminates. The weakness is identified as CWE‑674: Uncontrolled Recursion.

Affected Systems

LuckyPennySoftware’s AutoMapper library is affected. All releases before 15.1.1 and 16.1.1 contain the flaw; the problem was remedied in those two releases by adding a recursion depth limit.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high severity, while the EPSS score of less than 1 % suggests that exploitation opportunities are currently rare. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply the maliciously nested object graph, typically through API input or code injection that invokes AutoMapper. Once the stack is exhausted the application crashes, providing no opportunity for further malicious activity but resulting in a denial‑of‑service condition. The risk remains significant in environments where uptime is critical.

Generated by OpenCVE AI on April 8, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AutoMapper to version 15.1.1 or 16.1.1, which adds a recursion depth limit.

Generated by OpenCVE AI on April 8, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rvv3-g6hj-g44x AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion
History

Wed, 08 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:luckypennysoftware:automapper:*:*:*:*:*:*:*:*

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Luckypennysoftware
Luckypennysoftware automapper
Vendors & Products Luckypennysoftware
Luckypennysoftware automapper

Fri, 20 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.
Title AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Luckypennysoftware Automapper
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:02:58.558Z

Reserved: 2026-03-17T00:05:53.282Z

Link: CVE-2026-32933

cve-icon Vulnrichment

Updated: 2026-03-20T20:02:54.190Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T03:16:00.430

Modified: 2026-04-08T20:52:17.023

Link: CVE-2026-32933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:42Z

Weaknesses