{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32933", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.282Z", "datePublished": "2026-03-20T02:38:41.105Z", "dateUpdated": "2026-03-20T20:02:58.558Z"}, "containers": {"cna": {"title": "AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x"}, {"name": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816", "tags": ["x_refsource_MISC"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816"}, {"name": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1"}, {"name": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1"}], "affected": [{"vendor": "LuckyPennySoftware", "product": "AutoMapper", "versions": [{"version": ">= 16.0.0, < 16.1.1", "status": "affected"}, {"version": "< 15.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:38:41.105Z"}, "descriptions": [{"lang": "en", "value": "AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue."}], "source": {"advisory": "GHSA-rvv3-g6hj-g44x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T20:02:49.448369Z", "id": "CVE-2026-32933", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:02:58.558Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32933", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T20:02:49.448369Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:02:54.190Z"}}], "cna": {"title": "AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion", "source": {"advisory": "GHSA-rvv3-g6hj-g44x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "LuckyPennySoftware", "product": "AutoMapper", "versions": [{"status": "affected", "version": ">= 16.0.0, < 16.1.1"}, {"status": "affected", "version": "< 15.1.1"}]}], "references": [{"url": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x", "name": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816", "name": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1", "name": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1", "name": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:38:41.105Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32933", "state": "PUBLISHED", "dateUpdated": "2026-03-20T20:02:58.558Z", "dateReserved": "2026-03-17T00:05:53.282Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T02:38:41.105Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:luckypennysoftware:automapper:*:*:*:*:*:*:*:*", "matchCriteriaId": "ED1E9072-4965-4A55-9B9F-19C83A9ABD91", "versionEndExcluding": "15.1.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:luckypennysoftware:automapper:*:*:*:*:*:*:*:*", "matchCriteriaId": "92FB97AB-2B2B-4D96-89D9-CE73ACABC164", "versionEndExcluding": "16.1.1", "versionStartIncluding": "16.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue."}, {"lang": "es", "value": "AutoMapper es un mapeador de objetos a objetos basado en convenciones en .NET. Las versiones anteriores a la 15.1.1 y 16.1.1 son vulnerables a un ataque de denegaci\u00f3n de servicio (DoS). Al mapear grafos de objetos profundamente anidados, la biblioteca utiliza llamadas a m\u00e9todos recursivas sin imponer un l\u00edmite de profundidad m\u00e1xima predeterminado. Esto permite a un atacante proporcionar un grafo de objetos especialmente dise\u00f1ado que agota la memoria de pila del hilo, lo que desencadena una 'StackOverflowException' y provoca la terminaci\u00f3n de todo el proceso de la aplicaci\u00f3n. Las versiones 15.1.1 y 16.1.1 solucionan el problema."}], "id": "CVE-2026-32933", "lastModified": "2026-04-08T20:52:17.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T03:16:00.430", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0,16.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AutoMapper", "source": "cna", "vendor": "LuckyPennySoftware"}, "product": "automapper", "vendor": "luckypennysoftware"}], "analysis": {"en": {"generated_at": "2026-04-08T23:38:38.686484+00:00", "value": {"mitigation_remediation": ["Upgrade AutoMapper to version 15.1.1 or 16.1.1, which adds a recursion depth limit."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "LuckyPennySoftware\u2019s AutoMapper library is affected. All releases before 15.1.1 and 16.1.1 contain the flaw; the problem was remedied in those two releases by adding a recursion depth limit.", "description_and_impact": "AutoMapper, a popular .NET object\u2011to\u2011object mapping library, uses recursive method calls when handling instance graphs. In versions prior to 15.1.1 and 16.1.1 no maximum depth is enforced, allowing an attacker to supply an object graph with arbitrarily deep nesting. The resulting deep recursion exhausts the thread stack, meaning a StackOverflowException is thrown and the application process terminates. The weakness is identified as CWE\u2011674: Uncontrolled Recursion.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates a high severity, while the EPSS score of less than 1\u202f% suggests that exploitation opportunities are currently rare. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply the maliciously nested object graph, typically through API input or code injection that invokes AutoMapper. Once the stack is exhausted the application crashes, providing no opportunity for further malicious activity but resulting in a denial\u2011of\u2011service condition. The risk remains significant in environments where uptime is critical."}}}}, "created": "2026-03-20T08:53:02.012677+00:00", "updated": "2026-04-09T08:29:42.114408+00:00", "vendors": ["luckypennysoftware", "luckypennysoftware$PRODUCT$automapper"]}