AutoMapper Denial-of-Service Vulnerability via Uncontrolled Recursion

A denial-of-service vulnerability has been identified in AutoMapper, a .NET object-object mapping library, in versions prior to 15.1.1 and 16.1.1. The issue arises when the library maps deeply nested object graphs, using recursive method calls without a default maximum depth limit. This flaw allows an attacker to craft an object graph that exhausts the thread's stack memory, causing a 'StackOverflowException' that terminates the entire application process. The vulnerability exists in the core mapping engine, particularly with self-referential types, where recursion can exceed 25,000 levels, leading to stack exhaustion and process crashes.

Impact

Exploitation of this vulnerability causes the application server to crash, terminating the entire process rather than just the request thread, which is a standard exception behavior.

Reproduction

The vulnerability can be reproduced by creating a self-referential object graph with a 'Circular' class that references itself. After setting up the AutoMapper configuration to map this type, a 'Circular' object is instantiated and nested to exceed 30,000 levels. Mapping this object with AutoMapper triggers the 'StackOverflowException', causing the application to crash.

Remediation

Users should upgrade to AutoMapper versions 15.1.1 or 16.1.1, both of which address this vulnerability by applying a default maximum depth of 64 for self-referential types, preventing the stack overflow condition.