{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32933", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.282Z", "datePublished": "2026-03-20T02:38:41.105Z", "dateUpdated": "2026-03-20T20:02:58.558Z"}, "containers": {"cna": {"title": "AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion", "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x"}, {"name": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816", "tags": ["x_refsource_MISC"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816"}, {"name": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1"}, {"name": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1"}], "affected": [{"vendor": "LuckyPennySoftware", "product": "AutoMapper", "versions": [{"version": ">= 16.0.0, < 16.1.1", "status": "affected"}, {"version": "< 15.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:38:41.105Z"}, "descriptions": [{"lang": "en", "value": "AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue."}], "source": {"advisory": "GHSA-rvv3-g6hj-g44x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T20:02:49.448369Z", "id": "CVE-2026-32933", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:02:58.558Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32933", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T20:02:49.448369Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T20:02:54.190Z"}}], "cna": {"title": "AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion", "source": {"advisory": "GHSA-rvv3-g6hj-g44x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "LuckyPennySoftware", "product": "AutoMapper", "versions": [{"status": "affected", "version": ">= 16.0.0, < 16.1.1"}, {"status": "affected", "version": "< 15.1.1"}]}], "references": [{"url": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x", "name": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816", "name": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1", "name": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1", "name": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:38:41.105Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32933", "state": "PUBLISHED", "dateUpdated": "2026-03-20T20:02:58.558Z", "dateReserved": "2026-03-17T00:05:53.282Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T02:38:41.105Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue."}], "id": "CVE-2026-32933", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T03:16:00.430", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816"}, {"source": "security-advisories@github.com", "url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[16.0.0,16.1.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,15.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AutoMapper", "source": "cna", "vendor": "LuckyPennySoftware"}, "product": "automapper", "vendor": "luckypennysoftware"}], "analysis": {"en": {"generated_at": "2026-03-20T04:22:27.489752+00:00", "value": {"mitigation_remediation": ["Apply the latest AutoMapper update, v15.1.1 or v16.1.1", "Verify that the application is running the patched version", "If an upgrade is not immediately possible, implement a custom recursion depth limit or validate nested objects before mapping to prevent deep recursion", "Monitor application for sudden crashes or stack overflow exceptions indicative of an attempted DoS attack"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is LuckyPennySoftware's AutoMapper. All versions earlier than 15.1.1 and earlier than 16.1.1 are vulnerable. The fixed releases are v15.1.1 and v16.1.1.", "description_and_impact": "AutoMapper is a convention-based object-object mapper in .NET that, in versions prior to 15.1.1 and 16.1.1, performs recursive method calls when mapping deeply nested object graphs without enforcing a maximum depth limit. This uncontrolled recursion can be exploited by providing a specially crafted object graph that exhausts the thread's stack memory, causing a StackOverflowException and terminating the application process. The primary impact is a denial of service, where the affected application becomes unavailable. The weakness is identified as CWE-674, Uncontrolled Recursion or Loops.", "risk_and_exploitability": "The CVSSScore is 7.5, indicating a high severity. EPSS information is not available, so the likelihood of exploitation in the wild cannot be directly quantified from the data. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog (KEV). The attack vector is inferred to be through application input that supplies a malicious object graph; an attacker could trigger the denial of service by invoking the mapping functionality with the crafted input. No exploit proof-of-concept is publicly referenced, but the condition can be met by any payload that causes deep recursion."}}}}, "created": "2026-03-20T08:53:02.012677+00:00", "updated": "2026-03-20T10:37:46.125481+00:00", "vendors": ["luckypennysoftware", "luckypennysoftware$PRODUCT$automapper"]}