Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
AutoMapper Can Crash Your Server with Deep Object Graphs
GHSA-rvv3-g6hj-g44x
Summary
AutoMapper, a popular .NET library, can crash your server if it's fed a very deep and complex object graph. This can happen if an attacker sends a specially crafted object graph to your application, causing it to run out of memory and crash. To protect your server, you should limit the depth of object graphs or use a secure version of AutoMapper.
What to do
- Update automapper to version 16.1.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | automapper | <= 16.1.1 | 16.1.1 |
Original title
AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion
Original description
### Summary
AutoMapper is vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate.
### Description
The vulnerability exists in the core mapping engine. When a source object contains a property of the same type (or a type that eventually points back to itself), AutoMapper recursively attempts to map each level.
Because there is no default limit on how many levels deep this recursion can go, a sufficiently nested object (approximately 25,000+ levels in standard .NET environments) will exceed the stack size. Since `StackOverflowException` cannot be caught in modern .NET runtimes, the application cannot recover and will crash immediately.
### Impact
* **Availability:** An attacker can crash the application server, leading to a complete Denial of Service.
* **Process Termination:** Unlike standard exceptions, this terminates the entire process, not just the individual request thread.
### Proof of Concept (PoC)
The following C# code demonstrates the crash by creating a nested "Circular" object graph and attempting to map it:
```csharp
class Circular { public Circular Self { get; set; } }
// Setup configuration
var config = new MapperConfiguration(cfg => {
cfg.CreateMap<Circular, Circular>();
});
var mapper = config.CreateMapper();
// Create a deeply nested object (28,000+ levels)
var root = new Circular();
var current = root;
for (int i = 0; i < 30000; i++) {
current.Self = new Circular();
current = current.Self;
}
// This call triggers the StackOverflowException and crashes the process
mapper.Map<Circular>(root);
```
### Recommended Mitigation
1. **Secure Defaults:** Implement a default `MaxDepth` (e.g., 32 or 64) for all mapping operations.
2. **Configurable Limit:** Allow users to increase this limit if necessary, but ensure it is enabled by default to protect unsuspecting developers.
AutoMapper is vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate.
### Description
The vulnerability exists in the core mapping engine. When a source object contains a property of the same type (or a type that eventually points back to itself), AutoMapper recursively attempts to map each level.
Because there is no default limit on how many levels deep this recursion can go, a sufficiently nested object (approximately 25,000+ levels in standard .NET environments) will exceed the stack size. Since `StackOverflowException` cannot be caught in modern .NET runtimes, the application cannot recover and will crash immediately.
### Impact
* **Availability:** An attacker can crash the application server, leading to a complete Denial of Service.
* **Process Termination:** Unlike standard exceptions, this terminates the entire process, not just the individual request thread.
### Proof of Concept (PoC)
The following C# code demonstrates the crash by creating a nested "Circular" object graph and attempting to map it:
```csharp
class Circular { public Circular Self { get; set; } }
// Setup configuration
var config = new MapperConfiguration(cfg => {
cfg.CreateMap<Circular, Circular>();
});
var mapper = config.CreateMapper();
// Create a deeply nested object (28,000+ levels)
var root = new Circular();
var current = root;
for (int i = 0; i < 30000; i++) {
current.Self = new Circular();
current = current.Self;
}
// This call triggers the StackOverflowException and crashes the process
mapper.Map<Circular>(root);
```
### Recommended Mitigation
1. **Secure Defaults:** Implement a default `MaxDepth` (e.g., 32 or 64) for all mapping operations.
2. **Configurable Limit:** Allow users to increase this limit if necessary, but ensure it is enabled by default to protect unsuspecting developers.
ghsa CVSS3.1
7.5
Vulnerability type
CWE-674
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026