AutoMapper is a widely used .NET library that facilitates convention-based object-to-object mapping, simplifying data transformations between different object models. CVE-2026-32933 identifies a vulnerability classified under CWE-674 (Uncontrolled Recursion) affecting AutoMapper versions prior to 15.1.1 and between 16.0.0 and 16.1.1. The root cause is the library's recursive approach to mapping deeply nested object graphs without enforcing a maximum recursion depth limit. An attacker can craft a maliciously deep or cyclic object graph that causes the recursive mapping method to exhaust the thread's stack memory, triggering a StackOverflowException. This exception is unhandled within the library, causing the entire application process to terminate abruptly, resulting in a denial of service (DoS). The vulnerability requires no authentication or user interaction and can be triggered remotely if the application accepts attacker-controlled input for mapping. The CVSS v3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability. The issue has been addressed in AutoMapper versions 15.1.1 and 16.1.1 by implementing safeguards such as maximum recursion depth limits or cycle detection to prevent stack exhaustion. No public exploits have been reported yet, but the vulnerability poses a significant risk to applications relying on vulnerable AutoMapper versions for object mapping.

The primary impact of CVE-2026-32933 is denial of service, where an attacker can cause a targeted .NET application using vulnerable AutoMapper versions to crash by supplying specially crafted deeply nested object graphs. This can disrupt business operations, degrade service availability, and potentially cause cascading failures in dependent systems. Applications exposed to untrusted input that undergo object mapping are at greatest risk. The vulnerability does not directly compromise confidentiality or integrity but can be leveraged to cause downtime, impacting customer trust and operational continuity. Organizations with critical .NET applications using AutoMapper in web services, APIs, or backend processing pipelines are particularly vulnerable. The ease of exploitation without authentication or user interaction increases the threat level. Although no known exploits are currently in the wild, the vulnerability's characteristics make it a likely target for attackers aiming to disrupt services or conduct denial-of-service attacks at scale.

1. Upgrade AutoMapper to version 15.1.1 or 16.1.1 or later, where the vulnerability is fixed. 2. Implement input validation and sanitization to limit the depth and complexity of object graphs accepted from untrusted sources before mapping. 3. Introduce application-level safeguards such as recursion depth limits or cycle detection when performing object mapping if upgrading is not immediately feasible. 4. Employ runtime monitoring and alerting for StackOverflowException or unexpected application crashes to detect potential exploitation attempts. 5. Use application firewalls or API gateways to restrict or inspect incoming data payloads for anomalous nested structures. 6. Conduct code reviews and static analysis to identify other recursive functions that may lack depth limits. 7. Maintain an inventory of applications using AutoMapper and prioritize patching based on exposure and criticality. 8. Educate developers about safe usage patterns of object mappers and the risks of uncontrolled recursion.