CVE-2026-32933
Received Received - Intake
Stack Overflow DoS in AutoMapper via Deep Object Mapping

Publication date: 2026-03-20

Last updated on: 2026-04-08

Assigner: GitHub, Inc.

Description
AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32933
EUVD
EUVD-2026-13505
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
luckypennysoftware automapper to 15.1.1 (exc)
luckypennysoftware automapper From 16.0.0 (inc) to 16.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can severely impact the availability of applications using vulnerable versions of AutoMapper. An attacker can craft a deeply nested or cyclic object graph that triggers uncontrolled recursion during mapping, causing the application to crash due to a StackOverflowException.

The immediate termination of the application process results in a denial of service, making the application unavailable to legitimate users. This can disrupt business operations, degrade user experience, and potentially cause downtime.

The vulnerability does not affect confidentiality or integrity, but the loss of availability can have significant operational and reputational consequences.

Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32933 is a Denial of Service (DoS) vulnerability in the AutoMapper library for .NET. The issue occurs when AutoMapper processes deeply nested or self-referential object graphs without enforcing a maximum recursion depth. This uncontrolled recursion exhausts the thread's stack memory, causing a StackOverflowException that immediately terminates the application process."}, {'type': 'paragraph', 'content': 'Specifically, if an object graph contains cyclic references or deeply nested structures (around 25,000+ levels), AutoMapper recursively maps each level without limits, leading to stack exhaustion. Because modern .NET runtimes cannot catch StackOverflowException, the entire application crashes, resulting in a complete denial of service.'}, {'type': 'paragraph', 'content': 'The vulnerability affects versions prior to 15.1.1 and 16.1.1, which introduced a default maximum recursion depth (MaxDepth) of 64 and automatic handling of self-referential types to prevent infinite recursion and stack overflow.'}] [1, 4]

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability manifests as a Denial of Service (DoS) caused by a StackOverflowException when AutoMapper processes deeply nested or self-referential object graphs without a maximum recursion depth limit.'}, {'type': 'paragraph', 'content': 'Detection involves monitoring for application crashes or process terminations related to stack overflow during object mapping operations, especially when handling untrusted or attacker-controlled input.'}, {'type': 'paragraph', 'content': 'Since the issue occurs at runtime during mapping of deeply nested objects, there are no specific network commands to detect exploitation directly.'}, {'type': 'paragraph', 'content': 'To detect potential exploitation or vulnerability on your system, you can:'}, {'type': 'list_item', 'content': 'Monitor application logs for StackOverflowException or unexpected process terminations related to AutoMapper usage.'}, {'type': 'list_item', 'content': 'Use debugging or profiling tools to trace recursive mapping calls that exceed normal depth.'}, {'type': 'list_item', 'content': 'Check the version of AutoMapper in use; versions prior to 15.1.1 and 16.1.1 are vulnerable.'}, {'type': 'paragraph', 'content': 'No specific command-line commands are provided in the resources for direct detection, but general .NET diagnostic tools like "dotnet-trace" or "dotnet-dump" can be used to analyze crashes.'}] [1, 4]

Mitigation Strategies

The primary mitigation is to upgrade AutoMapper to a fixed version that addresses the vulnerability.

  • Upgrade AutoMapper to version 15.1.1 or later, preferably to version 16.1.1 where the fix is fully implemented.
  • The fix introduces a default maximum recursion depth (MaxDepth) of 64 for self-referential types to prevent stack overflow.
  • If upgrading is not immediately possible, configure your mapping profiles to explicitly set a maximum recursion depth using `.MaxDepth(n)` to limit recursion.
  • Alternatively, enable `.PreserveReferences()` in your mapping configuration to rely on object-identity caching and prevent infinite recursion.

These configuration changes help prevent uncontrolled recursion and stack exhaustion during mapping operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart