cvedb.io
CVE-2026-32933
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-20T03:16:00.430 · Last modified 2026-06-17T10:36:35.263

Summary

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.

Affected products

luckypennysoftware — automapper

Does this affect you?

Add your gear to cvedb and we'll alert you only when luckypennysoftware ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.