AutoMapper v15 Security Update Patches Critical DoS Vulnerability (CVE-2026-32933)

A critical security vulnerability in the widely-used AutoMapper library has been patched, forcing a major version jump from 12.0.1 to 15.1.3. The flaw, tracked as CVE-2026-32933, exposes applications to Denial of Service (DoS) attacks. The core issue lies in the library's handling of object mapping: when processing deeply nested object graphs, AutoMapper uses recursive method calls without enforcing a default maximum depth limit. This architectural oversight allows a malicious actor to craft a specific object structure that triggers uncontrolled recursion, ultimately exhausting the thread's stack memory and crashing the application.

The vulnerability advisory was published by the project maintainers, LuckyPennySoftware, and is being tracked via GitHub's security alert system. The update is not a minor patch but a significant leap across three major versions, indicating the severity of the underlying fix required. The dependency management bot Renovate has flagged this as a high-priority security update, with the new version marked for immediate adoption to mitigate the exploit risk.

This vulnerability poses a direct threat to any production system using AutoMapper for data transformation, a common task in .NET applications. The lack of a default recursion depth guard means that any endpoint accepting user-controlled object graphs could be a potential attack vector. Development and security teams must prioritize applying this update, as the exploit could lead to service instability and unplanned downtime with minimal attacker effort. The fix in v15.1.3 presumably introduces depth limiting or an alternative non-recursive mapping strategy to neutralize this specific attack path.