AutoMapper v15 Security Update Patches Critical DoS Vulnerability (CVE-2026-32933)

A critical security vulnerability in the widely-used AutoMapper library exposes countless .NET applications to potential Denial of Service (DoS) attacks. The flaw, tracked as CVE-2026-32933, stems from the library's handling of deeply nested object graphs. During mapping operations, AutoMapper employs recursive method calls but, crucially, does not enforce a default maximum depth limit. This architectural oversight creates a direct attack vector: a malicious actor can craft a specially designed, deeply nested object graph. When processed, this graph triggers uncontrolled recursion, rapidly consuming the available stack memory on the executing thread and causing the application to crash.

The vulnerability is present in versions prior to 15.1.3. The security advisory, published by the maintainers at LuckyPennySoftware, explicitly warns that this flaw allows an attacker to exhaust stack memory. The fix, delivered in AutoMapper version 15.1.3, addresses this by implementing proper depth limiting within the mapping logic to prevent the recursive stack overflow. This is not a theoretical risk; it is a practical exploit path that could be used to disrupt services relying on AutoMapper for object-to-object mapping, a common task in enterprise and web applications.

The mandatory update from version 14.0.0 to 15.1.3 is now being pushed via dependency management tools like RenovateBot, marked with high merge confidence. The widespread adoption of AutoMapper across the .NET ecosystem means the potential impact is significant, affecting backend services, APIs, and data processing layers. Development and security teams must treat this as a high-priority patch to mitigate the risk of service disruption and maintain application stability.