AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

未经控制的递归

AutoMapper 安全漏洞

AutoMapper是Lucky Penny Software LLC开源的一个对象映射库。 AutoMapper 15.1.1之前版本和16.1.1之前版本存在安全漏洞，该漏洞源于映射深度嵌套对象图时未强制执行默认最大深度限制，可能导致堆栈溢出和拒绝服务。

N/A

N/A