DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-RVV3-G6HJ-G44X: GHSA-RVV3-G6HJ-G44X: Denial of Service via Uncontrolled Recursion in AutoMapper

#security #cve #cybersecurity #ghsa

GHSA-RVV3-G6HJ-G44X: Denial of Service via Uncontrolled Recursion in AutoMapper

Vulnerability ID: GHSA-RVV3-G6HJ-G44X
CVSS Score: 8.7
Published: 2026-03-13

AutoMapper prior to version 16.1.1 is vulnerable to a Denial of Service (DoS) condition caused by uncontrolled recursion during object mapping. An attacker can supply a deeply nested, self-referential object graph consisting of unique instances to trigger a StackOverflowException, resulting in immediate process termination.

TL;DR

A flaw in AutoMapper's handling of self-referential object graphs allows remote attackers to trigger a non-catchable StackOverflowException via deeply nested object inputs, causing an application crash. The issue is resolved in version 16.1.1 by enforcing a default recursion limit of 64.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Uncontrolled Recursion
  • CWE ID: CWE-674, CWE-400
  • CVSS Score: 8.7
  • Attack Vector: Network / Remote
  • Impact: Denial of Service (Process Termination)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • AutoMapper < 16.1.1
  • .NET Applications utilizing AutoMapper for self-referential types
  • AutoMapper: < 16.1.1 (Fixed in: 16.1.1)

Code Analysis

Commit: 0afaf1e

Fix DoS via Uncontrolled Recursion by setting default MaxDepth to 64

Exploit Details

  • Official Unit Tests: Unit test demonstrating a 30,000 deep chain of distinct Circular objects causing a stack overflow.

Mitigation Strategies

  • Upgrade AutoMapper to 16.1.1 or higher.
  • Apply explicit MaxDepth configurations to recursive map profiles.
  • Avoid explicit use of PreserveReferences() without an accompanying MaxDepth on untrusted inputs.

Remediation Steps:

  1. Identify all AutoMapper package references in the solution.
  2. Update the AutoMapper NuGet package to version 16.1.1.
  3. Review MapperConfiguration instances for self-referential mappings.
  4. Test mapping logic to ensure the new default limit of 64 does not break legitimate deep structures.
  5. If legitimate structures exceed depth 64, explicitly configure MaxDepth(N).

References

Read the full report for GHSA-RVV3-G6HJ-G44X on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)