Skip to content

Update dependency AutoMapper to v15 [SECURITY]#86

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/nuget-automapper-vulnerability
Open

Update dependency AutoMapper to v15 [SECURITY]#86
renovate[bot] wants to merge 1 commit intomainfrom
renovate/nuget-automapper-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 14, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
AutoMapper (source) 14.0.015.1.3 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-32933

Summary

AutoMapper is vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a StackOverflowException and causing the entire application process to terminate.

Description

The vulnerability exists in the core mapping engine. When a source object contains a property of the same type (or a type that eventually points back to itself), AutoMapper recursively attempts to map each level.

Because there is no default limit on how many levels deep this recursion can go, a sufficiently nested object (approximately 25,000+ levels in standard .NET environments) will exceed the stack size. Since StackOverflowException cannot be caught in modern .NET runtimes, the application cannot recover and will crash immediately.

Impact

  • Availability: An attacker can crash the application server, leading to a complete Denial of Service.
  • Process Termination: Unlike standard exceptions, this terminates the entire process, not just the individual request thread.

Proof of Concept (PoC)

The following C# code demonstrates the crash by creating a nested "Circular" object graph and attempting to map it:

class Circular { public Circular Self { get; set; } }

// Setup configuration
var config = new MapperConfiguration(cfg => {
    cfg.CreateMap<Circular, Circular>();
});
var mapper = config.CreateMapper();

// Create a deeply nested object (28,000+ levels)
var root = new Circular();
var current = root;
for (int i = 0; i < 30000; i++) {
    current.Self = new Circular();
    current = current.Self;
}

// This call triggers the StackOverflowException and crashes the process
mapper.Map<Circular>(root);

Recommended Mitigation

  1. Secure Defaults: Implement a default MaxDepth (e.g., 32 or 64) for all mapping operations.
  2. Configurable Limit: Allow users to increase this limit if necessary, but ensure it is enabled by default to protect unsuspecting developers.

Release Notes

LuckyPennySoftware/AutoMapper (AutoMapper)

v15.1.3

What's Changed

Security

Fixed an issue where certain cyclic or self-referential object graphs could trigger uncontrolled recursion during mapping, potentially resulting in stack exhaustion and denial of service.

Applications that process untrusted or attacker-controlled object graphs through affected mapping paths may be impacted.

Users should upgrade to this release.

Security advisory: GHSA-rvv3-g6hj-g44x

Thanks to @​skdishansachin for responsibly disclosing this issue.

Full Changelog: LuckyPennySoftware/AutoMapper@v15.1.0...v15.1.3

v15.1.2

What's Changed

Security

Fixed an issue where certain cyclic or self-referential object graphs could trigger uncontrolled recursion during mapping, potentially resulting in stack exhaustion and denial of service.

Applications that process untrusted or attacker-controlled object graphs through affected mapping paths may be impacted.

Users should upgrade to this release.

Security advisory: GHSA-rvv3-g6hj-g44x

Thanks to @​skdishansachin for responsibly disclosing this issue.

Full Changelog: LuckyPennySoftware/AutoMapper@v16.1.1...v15.1.2

v15.1.1

What's Changed

Security

Fixed an issue where certain cyclic or self-referential object graphs could trigger uncontrolled recursion during mapping, potentially resulting in stack exhaustion and denial of service.

Applications that process untrusted or attacker-controlled object graphs through affected mapping paths may be impacted.

Users should upgrade to this release.

Security advisory: GHSA-rvv3-g6hj-g44x

Thanks to @​skdishansachin for responsibly disclosing this issue.

Full Changelog: LuckyPennySoftware/AutoMapper@v16.1.1...v15.1.1

v15.1.0

What's Changed

New Contributors

Full Changelog: LuckyPennySoftware/AutoMapper@v15.0.1...v15.1.0

v15.0.1

What's Changed

Full Changelog: LuckyPennySoftware/AutoMapper@v15.0.0...v15.0.1

This release supersedes the 15.0.0 release, reverting behavior and overloads so that the AddAutoMapper overloads separate the "scanning for maps" from the "scanning for dependencies". Unfortunately it's not really possible to combine these two together.

This also fixes a critical bug in #​4545 that does not work with .NET 4.x applications (as intended).

Because of this, the 15.0.0 will be delisted because of the breaking changes there.

v15.0.0

Full Changelog: LuckyPennySoftware/AutoMapper@v14.0.0...v15.0.0

  • Added support for .NET Standard 2.0
  • Requiring license key
  • Moving from MIT license to dual commercial/OSS license

To set your license key:

services.AddAutoMapper(cfg => {
    cfg.LicenseKey = "<License key here>";
});

This also introduced a breaking change with MapperConfiguration requiring an ILoggerFactory for logging purposes:

public MapperConfiguration(MapperConfigurationExpression configurationExpression, ILoggerFactory loggerFactory)

Registering AutoMapper with services.AddAutoMapper will automatically supply this parameter. Otherwise you'll need to supply the logger factory.

You can obtain your license key at AutoMapper.io

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - "after 10am every weekday,before 4pm every weekday" in timezone Europe/London.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/nuget-automapper-vulnerability branch from 04f57e9 to 88e3ceb Compare March 16, 2026 15:40
@renovate renovate bot changed the title Update dependency AutoMapper to v16 [SECURITY] Update dependency AutoMapper to v15 [SECURITY] Mar 16, 2026
@renovate renovate bot force-pushed the renovate/nuget-automapper-vulnerability branch from 88e3ceb to 9aa951d Compare March 18, 2026 05:57
@renovate renovate bot changed the title Update dependency AutoMapper to v15 [SECURITY] Update dependency AutoMapper to v15 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/nuget-automapper-vulnerability branch March 27, 2026 02:43
@renovate renovate bot changed the title Update dependency AutoMapper to v15 [SECURITY] - autoclosed Update dependency AutoMapper to v15 [SECURITY] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/nuget-automapper-vulnerability branch 2 times, most recently from 9aa951d to 3efdf58 Compare March 30, 2026 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies renovate security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants