Detected security warning in Scriban (transitive dep of Volo.Abp.Emailing). Infinite recursion on circular refs causes StackOverflow/DoS crash during object rendering in templates (e.g., Layout.tpl). Risky for email services with user-influenced data. Request:
Links:
Prioritize for production security.
We are using ABP Commercial and have AutoMapper version 14.x installed, which was recently flagged with a critical security vulnerability allowing Denial of Service (DoS) attacks through uncontrolled recursion on deeply nested object graphs of the same type. This triggers a StackOverflowException after ~25,000-30,000 levels, crashing the entire application process (unrecoverable in .NET). The issue affects all free versions prior to 15.1.1 and 16.1.1, which require a paid commercial license. As ABP.commercial users, we need guidance on: Official patch or upgrade timeline to a safe AutoMapper version (or integration with alternatives like Mapperly/Mapster). Temporary mitigation (e.g., global MaxDepth configuration in ABP's AutoMapper setup). Confirmation of affected ABP modules/services using AutoMapper.
Vulnerability Links:
Please prioritize as this exposes production apps to remote crashes via crafted API inputs. Thanks!
