Vulnerability Details CVE-2026-32933
AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.2%
CVSS Severity
CVSS v3 Score 7.5
References
- https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816
- https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1
- https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1
- https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x
Products affected by CVE-2026-32933
-
cpe:2.3:a:luckypennysoftware:automapper:1.0
-
cpe:2.3:a:luckypennysoftware:automapper:1.1
-
cpe:2.3:a:luckypennysoftware:automapper:1.1.1
-
cpe:2.3:a:luckypennysoftware:automapper:1.1.2
-
cpe:2.3:a:luckypennysoftware:automapper:10.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:10.1.0
-
cpe:2.3:a:luckypennysoftware:automapper:10.1.1
-
cpe:2.3:a:luckypennysoftware:automapper:11.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:11.0.1
-
cpe:2.3:a:luckypennysoftware:automapper:12.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:12.0.1
-
cpe:2.3:a:luckypennysoftware:automapper:13.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:13.0.1
-
cpe:2.3:a:luckypennysoftware:automapper:14.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:15.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:15.0.1
-
cpe:2.3:a:luckypennysoftware:automapper:15.1.0
-
cpe:2.3:a:luckypennysoftware:automapper:16.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:16.1.0
-
cpe:2.3:a:luckypennysoftware:automapper:2.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:2.1.267
-
cpe:2.3:a:luckypennysoftware:automapper:2.2.0
-
cpe:2.3:a:luckypennysoftware:automapper:2.2.1
-
cpe:2.3:a:luckypennysoftware:automapper:3.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:3.1.0
-
cpe:2.3:a:luckypennysoftware:automapper:3.1.1
-
cpe:2.3:a:luckypennysoftware:automapper:3.2.0
-
cpe:2.3:a:luckypennysoftware:automapper:3.2.1
-
cpe:2.3:a:luckypennysoftware:automapper:3.3.0
-
cpe:2.3:a:luckypennysoftware:automapper:3.3.1
-
cpe:2.3:a:luckypennysoftware:automapper:4.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:4.0.1
-
cpe:2.3:a:luckypennysoftware:automapper:4.0.2
-
cpe:2.3:a:luckypennysoftware:automapper:4.0.3
-
cpe:2.3:a:luckypennysoftware:automapper:4.0.4
-
cpe:2.3:a:luckypennysoftware:automapper:4.1.0
-
cpe:2.3:a:luckypennysoftware:automapper:4.1.1
-
cpe:2.3:a:luckypennysoftware:automapper:4.2.0
-
cpe:2.3:a:luckypennysoftware:automapper:4.2.1
-
cpe:2.3:a:luckypennysoftware:automapper:5.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:5.0.1
-
cpe:2.3:a:luckypennysoftware:automapper:5.0.2
-
cpe:2.3:a:luckypennysoftware:automapper:5.1.0
-
cpe:2.3:a:luckypennysoftware:automapper:5.1.1
-
cpe:2.3:a:luckypennysoftware:automapper:5.2.0
-
cpe:2.3:a:luckypennysoftware:automapper:6.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:6.0.1
-
cpe:2.3:a:luckypennysoftware:automapper:6.0.2
-
cpe:2.3:a:luckypennysoftware:automapper:6.1.0
-
cpe:2.3:a:luckypennysoftware:automapper:6.1.1
-
cpe:2.3:a:luckypennysoftware:automapper:6.2.0
-
cpe:2.3:a:luckypennysoftware:automapper:6.2.1
-
cpe:2.3:a:luckypennysoftware:automapper:6.2.2
-
cpe:2.3:a:luckypennysoftware:automapper:7.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:7.0.1
-
cpe:2.3:a:luckypennysoftware:automapper:8.0.0
-
cpe:2.3:a:luckypennysoftware:automapper:8.1.0
-
cpe:2.3:a:luckypennysoftware:automapper:8.1.1
-
cpe:2.3:a:luckypennysoftware:automapper:9.0.0