High severity7.5NVD Advisory· Published Mar 20, 2026· Updated Apr 8, 2026
CVE-2026-32933
CVE-2026-32933
Description
AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a StackOverflowException and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816nvdPatch
- github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44xnvdVendor AdvisoryExploit
- github.com/advisories/GHSA-rvv3-g6hj-g44xghsaADVISORY
- github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1nvdRelease Notes
- github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1nvdRelease Notes
- nvd.nist.gov/vuln/detail/CVE-2026-32933ghsa
News mentions
0No linked articles in our index yet.