CVE-2026-32933

Name of the Vulnerable Software and Affected Versions AutoMapper versions prior to 15.1.1 AutoMapper versions prior to 16.1.1

Description AutoMapper is susceptible to a Denial of Service (DoS) attack. When processing deeply nested object graphs, the library employs recursive method calls without a default maximum depth limit. An attacker can exploit this by providing a specifically crafted object graph that exhausts the thread's stack memory, resulting in a StackOverflowException and terminating the application process. The core mapping engine is affected, where recursive attempts to map nested objects of the same type can exceed the stack size, leading to process termination. A proof of concept demonstrates the crash by creating a deeply nested "Circular" object graph and attempting to map it.

Recommendations AutoMapper versions prior to 15.1.1: Implement a default MaxDepth for all mapping operations. AutoMapper versions prior to 16.1.1: Implement a default MaxDepth for all mapping operations.