VYPR
High severity7.5NVD Advisory· Published Mar 20, 2026· Updated Apr 8, 2026

CVE-2026-32933

CVE-2026-32933

Description

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a StackOverflowException and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
AutoMapperNuGet
>= 16.0.0, < 16.1.116.1.1
AutoMapperNuGet
< 15.1.115.1.1

Affected products

4

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.