GHSA-rvv3-g6hj-g44x
Denial of Service vulnerability in automapper (NuGet)
What is GHSA-rvv3-g6hj-g44x About?
AutoMapper is vulnerable to a Denial of Service (DoS) attack when mapping deeply nested object graphs, causing `StackOverflowException` and application termination. This occurs because the library uses recursive method calls without a default maximum depth limit. Exploitation is low-complexity and requires providing a specially crafted, deeply nested object graph.
Affected Software
Technical Details
The vulnerability lies within AutoMapper's core mapping engine, specifically in how it handles recursive object graphs. When a source object contains properties that refer back to the same type, AutoMapper recursively attempts to map each level of the object hierarchy. Critically, there is no default or configurable maximum depth limit implemented for this recursion. This absence allows an attacker to construct a deeply nested object (e.g., 25,000+ levels) which, when processed by AutoMapper, will cause the thread's call stack to be exhausted. In modern .NET runtimes, a StackOverflowException cannot be caught or recovered from, leading to the immediate termination of the entire application process, resulting in a Denial of Service.
What is the Impact of GHSA-rvv3-g6hj-g44x?
Successful exploitation may allow attackers to crash the entire application server process, leading to a complete and unrecoverable Denial of Service.
What is the Exploitability of GHSA-rvv3-g6hj-g44x?
Exploitation requires an attacker to be able to provide a specially crafted, deeply nested object graph as input to an AutoMapper mapping operation. No authentication or specific privileges are required, as the vulnerability is triggered by the structure of the input object itself. The attack is remote if the application accepts and processes complex object structures from untrusted external sources (e.g., via API endpoints, deserialization of user input). The complexity is low, as it involves creating an object with self-referential or deeply nested properties. The primary risk factor is the absence of a default depth limit in AutoMapper when processing user-controlled object graphs.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-rvv3-g6hj-g44x?
Available Upgrade Options
- automapper
- <16.1.1 → Upgrade to 16.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-rvv3-g6hj-g44x
- https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x
- https://github.com/LuckyPennySoftware/AutoMapper
- https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1
- https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816
What are Similar Vulnerabilities to GHSA-rvv3-g6hj-g44x?
Similar Vulnerabilities: CVE-2023-49080 , CVE-2023-38411 , CVE-2023-37604 , CVE-2023-37605 , CVE-2023-37606
