Hi ABP Support Team,
We recently received a HIGH severity security finding (CVE-2026-32933) related to AutoMapper in our current ABP version (8.0.2).
While our long-term plan is to upgrade to ABP 10 and replace AutoMapper with Mapperly, that migration will take some time. In the interim, we need an immediate mitigation. I noticed there is a code-level fix available for this issue in this PR: https://github.com/abpframework/abp/pull/25138.
Could you advise on the best way to implement this fix into our 8.0.2 environment?
3 Answer(s)
-
0
hi
This vulnerability (GHSA-rvv3-g6hj-g44x) has been addressed in ABP 10.2 via [PR #25138](https://github.com/abpframework/abp/pull/25138), which sets a default
MaxDepth = 64for all AutoMapper maps.For ABP 8.x, you can apply the same mitigation without modifying framework code. Add the following to
ConfigureServicesin any of your modules:Configure<AbpAutoMapperOptions>(options => { options.Configurators.Add(ctx => { ctx.MapperConfiguration.Internal().ForAllMaps((typeMap, _) => { if (typeMap.MaxDepth == 0) { typeMap.MaxDepth = 64; } }); }); });This iterates over all registered maps and sets
MaxDepth = 64for any map that doesn't already have an explicitMaxDepthconfigured, which prevents the StackOverflow DoS caused by deeply nested object graphs.You'll need to add
using AutoMapper.Internal;for theInternal()extension method.Thanks.
-
0
Hi @maliming, thank you for the prompt response
-
0
: )
