A vulnerability (CVE-2026-32933) has been discovered in AutoMapper that allows an application to be dropped through a stack overflow in deep recursion and no mapping depth limit.
AutoMapper is one of the most widely used tools in the .NET ecosystem for automatic object-to-object mapping. In 2025, the project switched to a commercial model: the current versions of the library are distributed by subscription, while the old ones (under the MIT license) were left without support.
Despite the high severity of the vulnerability, the developer refused to release fixes for free versions, limiting the patch to only supported (including paid) releases. This caused a wave of criticism: some of the community accuses the author of trying to force users to a paid subscription, while others remind that unsupported open source by definition does not guarantee security updates and may require self-support.