Uncontrolled Recursion in AutoMapper

CVE-2026-32933

AutoMapper

High

7.5/10

Summary

AutoMapper is vulnerable to a Denial-of-Service (DoS) attack. Versions prior to 15.1.1 and 16.x prior to 16.1.1, when mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-674 - Uncontrolled Recursion

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

References

Advisory
Release Note

Advisory Timeline

Published Mar 20, 2026

Uncontrolled Recursion in AutoMapper

CVE-2026-32933

Summary

CWE-674 - Uncontrolled Recursion

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS