CVE-2026-32933
Published: 20 March 2026
Summary
CVE-2026-32933 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Luckypennysoftware Automapper. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32933 is a denial-of-service (DoS) vulnerability in AutoMapper, a convention-based object-object mapper library for .NET applications. Versions prior to 15.1.1 and 16.1.1 are affected due to recursive method calls used when mapping deeply nested object graphs, without a default maximum depth limit. This flaw, classified under CWE-674 (Uncontrolled Recursion), has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.
The vulnerability can be exploited by any unauthenticated attacker with network access to an application that processes untrusted input through AutoMapper's mapping functions. By supplying a specially crafted object graph with excessive nesting depth, the attacker triggers unbounded recursion, exhausting the thread's stack memory and causing a StackOverflowException that terminates the entire application process, resulting in a DoS condition.
Mitigation is available via updated versions 15.1.1 and 16.1.1 of AutoMapper, which address the issue by enforcing appropriate recursion limits. The AutoMapper security advisory (GHSA-rvv3-g6hj-g44x) and related GitHub releases detail the fix, including the patching commit (0afaf1e91648fca1a57512e94dd00a76ee016816). Security practitioners should upgrade affected applications promptly and review input validation for object mapping operations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13505
Vulnerability details
AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum…
more
depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a .NET application via untrusted input to AutoMapper, triggering uncontrolled recursion (CWE-674) that crashes the process with StackOverflowException, directly matching Endpoint Denial of Service via Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely patching of AutoMapper to versions 15.1.1 or 16.1.1 that enforce recursion depth limits, preventing stack overflow DoS.
Protects system resources, including thread stack memory, from denial-of-service attacks caused by unbounded recursion in deeply nested object graphs.
Validates and sanitizes untrusted inputs before AutoMapper processing to block or limit deeply nested object graphs that trigger uncontrolled recursion.