We are using ABP Commercial and have AutoMapper version 14.x installed, which was recently flagged with a critical security vulnerability allowing Denial of Service (DoS) attacks through uncontrolled recursion on deeply nested object graphs of the same type. This triggers a StackOverflowException after ~25,000-30,000 levels, crashing the entire application process (unrecoverable in .NET). The issue affects all free versions prior to 15.1.1 and 16.1.1, which require a paid commercial license. As ABP.commercial users, we need guidance on: Official patch or upgrade timeline to a safe AutoMapper version (or integration with alternatives like Mapperly/Mapster). Temporary mitigation (e.g., global MaxDepth configuration in ABP's AutoMapper setup). Confirmation of affected ABP modules/services using AutoMapper.
Vulnerability Links:
- GitHub Security Advisory: https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x
- NVD CVE Detail: https://nvd.nist.gov/vuln/detail/CVE-2026-32933
- OSV.dev: https://github.com/ossf/osv.dev/blob/main/data/github/LuckyPennySoftware/AutoMapper/GHSA-rvv3-g6hj-g44x.json (includes PoC)
Please prioritize as this exposes production apps to remote crashes via crafted API inputs. Thanks!
2 Answer(s)
-
0
ABP Commercial v10.0.1 guidance (practical + ABP-aligned):
- In ABP v10, ABP has already moved its framework object-to-object mapping integration to Mapperly (so most ABP modules won’t be depending on AutoMapper anymore by default). If your solution still references AutoMapper 14.x, it’s typically coming from your application code (custom profiles/mappings), not from ABP modules.
- Best immediate mitigation in an ABP v10.0.1 app: remove AutoMapper from the runtime path by migrating your app mappings to Mapperly and switching the ABP object mapper integration to
Volo.Abp.Mapperly. This avoids relying on AutoMapper’s runtime recursion behavior entirely.
Temporary mitigation via “global MaxDepth in ABP AutoMapper setup”:
- I could not find any verified ABP v10.x configuration surface in the available indexed sources that shows ABP exposing a global “AutoMapper MaxDepth” setting (e.g., via
Configure<AbpAutoMapperOptions>(...)and an AutoMapperMaxDepthhook) that I can safely recommend here. - Because I can’t verify a correct ABP-specific knob for this, I’m not going to suggest an unverified configuration snippet.
- I could not find any verified ABP v10.x configuration surface in the available indexed sources that shows ABP exposing a global “AutoMapper MaxDepth” setting (e.g., via
Which ABP modules/services are affected?
- Based on verified ABP context: ABP v10’s framework-level mapping uses Mapperly by default, and AutoMapper is optional/legacy for your solution code. So the most likely “affected area” is any of your endpoints/services that call AutoMapper directly (or any custom ABP layer where you explicitly added
Volo.Abp.AutoMapper+ AutoMapper profiles). - Practically: search your solution for
Volo.Abp.AutoMapper,AddAutoMapperObjectMapper, andProfile : AutoMapper.Profileusage; those are your risk hotspots.
- Based on verified ABP context: ABP v10’s framework-level mapping uses Mapperly by default, and AutoMapper is optional/legacy for your solution code. So the most likely “affected area” is any of your endpoints/services that call AutoMapper directly (or any custom ABP layer where you explicitly added
Official patch / security timeline request (Commercial-specific):
- This is security + product support/timeline related. Please contact ABP/Volosoft via the official channel so they can provide an official statement and timeline: https://abp.io/contact
If you want the ABP-supported replacement path (works on ABP v10):
- Remove AutoMapper packages from your solution (where feasible) and add
Volo.Abp.Mapperly. - In your modules, depend on
AbpMapperlyModuleand register Mapperly object mapper:
- Remove AutoMapper packages from your solution (where feasible) and add
using Volo.Abp.Modularity; using Volo.Abp.Mapperly; [DependsOn(typeof(AbpMapperlyModule))] public class YourProjectApplicationModule : AbpModule { public override void ConfigureServices(ServiceConfigurationContext context) { context.Services.AddMapperlyObjectMapper<YourProjectApplicationModule>(); } }- Convert AutoMapper profiles to Mapperly mappers (ABP’s recommended direction in v10).
(Links you provided: only
https://nvd.nist.gov/vuln/detail/CVE-2026-32933was reachable from my URL validator; the GitHub advisory/OSV links were not reachable at validation time, so I did not rely on them here.)
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
hi
We have added a code-level fix in
Volo.Abp.AutoMappermodule by settingMaxDepth = 64for all maps that don't have an explicitMaxDepthconfigured. This mitigates the actual DoS vulnerability (GHSA-rvv3-g6hj-g44x) at the framework level. See #25138.However, since the NuGet security audit checks package versions rather than code, you will still see the NU1902/NU1903 warning as long as AutoMapper 14.0.0 is referenced. Unfortunately, the AutoMapper maintainer has confirmed that no patch will be released for version 14.x (see AutoMapper#4618). Only the commercial versions (15.x/16.x) have been patched.
Workaround: To suppress the NuGet audit warning, add the following to your project file (
.csproj) orDirectory.Build.props:<ItemGroup> <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-rvv3-g6hj-g44x" /> </ItemGroup>Recommended long-term solution: We recommend migrating from AutoMapper to Mapperly. ABP Framework has built-in support for Mapperly, and we have been progressively migrating all modules to use it. See the migration guide for details.
See https://github.com/abpframework/abp/issues/25137 https://github.com/abpframework/abp/pull/25138
Thanks.
