Description

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.

INFO

Published Date :

2026-03-20T02:38:41.105Z

Last Modified :

2026-03-20T20:02:58.558Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32933 vulnerability.

Vendors Products
Luckypennysoftware
  • Automapper
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32933.

URL Resource
https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816 cve-icon cve-icon
https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1 cve-icon cve-icon
https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1 cve-icon cve-icon
https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact