{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/defense-in-depth/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-in-depth","resource-exhaustion","information-disclosure","dotnet"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMeridian versions before 2.1.1 contain multiple vulnerabilities stemming from defense-in-depth gaps within the \u003ccode\u003eMeridian.Mapping\u003c/code\u003e and \u003ccode\u003eMeridian.Mediator\u003c/code\u003e components. Two high-severity issues involve bypassing the advertised \u003ccode\u003eDefaultMaxCollectionItems\u003c/code\u003e and \u003ccode\u003eDefaultMaxDepth\u003c/code\u003e safety caps, particularly when using the \u003ccode\u003eIMapper.Map(source, destination)\u003c/code\u003e overload or \u003ccode\u003e.UseDestinationValue()\u003c/code\u003e on collection-typed properties. These flaws can lead to resource exhaustion. Additional medium-severity issues include constructor invariant bypass, OpenTelemetry stack-trace information disclosure, retry amplification, and notification fan-out amplification. The vulnerabilities were patched in version 2.1.1, released on April 16, 2026. The issues affect applications using the Meridian library for object-object mapping and mediation. Successful exploitation could lead to denial-of-service conditions, information disclosure, and unexpected application behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a crafted request to an application using Meridian, including a large or self-referential collection in the request payload.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s mapping logic utilizes \u003ccode\u003eIMapper.Map(source, destination)\u003c/code\u003e or \u003ccode\u003e.UseDestinationValue()\u003c/code\u003e on a collection property, triggering the vulnerable code path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMappingEngine.TryMapCollectionOntoExisting\u003c/code\u003e method processes the collection without enforcing \u003ccode\u003eDefaultMaxCollectionItems\u003c/code\u003e, leading to excessive memory consumption.\u003c/li\u003e\n\u003cli\u003eCollection-item recursion fails to increment \u003ccode\u003eResolutionContext.Depth\u003c/code\u003e, allowing self-referential graphs to bypass \u003ccode\u003eDefaultMaxDepth\u003c/code\u003e and cause a stack overflow.\u003c/li\u003e\n\u003cli\u003eThe unbounded collection processing consumes excessive CPU and memory resources, potentially blocking the worker thread.\u003c/li\u003e\n\u003cli\u003eAlternatively, an attacker exploits the \u003ccode\u003eObjectCreator.CreateWithConstructorMapping\u003c/code\u003e vulnerability by providing input that bypasses constructor invariants due to the widest constructor being selected.\u003c/li\u003e\n\u003cli\u003eThe application experiences a denial-of-service condition due to resource exhaustion or exhibits unintended behavior due to bypassed constructor invariants.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant consequences. An attacker can cause denial-of-service by exhausting server resources, potentially impacting all users of the affected application. Information disclosure is possible through OpenTelemetry stack traces, and bypassing constructor invariants can lead to unexpected application behavior and potential data corruption. The high-severity vulnerabilities related to collection mapping are particularly concerning due to the potential for easy exploitation through a single crafted request. The impact is mitigated by upgrading to version 2.1.1 of the \u003ccode\u003eMeridian.Mapping\u003c/code\u003e and \u003ccode\u003eMeridian.Mediator\u003c/code\u003e libraries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to Meridian version 2.1.1 to patch the identified vulnerabilities, as documented in the \u003ca href=\"https://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16\"\u003ev2.1.1 CHANGELOG\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eFor applications that cannot be immediately upgraded, avoid using \u003ccode\u003emapper.Map(src, dst)\u003c/code\u003e and \u003ccode\u003e.UseDestinationValue()\u003c/code\u003e on collection-typed destination members as a temporary workaround.\u003c/li\u003e\n\u003cli\u003eImplement explicit size limits on input collection deserialization before passing the payload to Meridian, as described in the \u003ca href=\"#workarounds\"\u003eWorkarounds section\u003c/a\u003e of this brief.\u003c/li\u003e\n\u003cli\u003eConsider disabling OpenTelemetry \u003ccode\u003eexception.stacktrace\u003c/code\u003e tag emission if your trace sink is not fully trusted, mitigating potential information disclosure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-17-meridian-defense-gaps/","summary":"Multiple defense-in-depth gaps exist in Meridian versions prior to 2.1.1, including high severity issues related to bypassing safety caps on collection mapping that can lead to resource exhaustion, along with medium and low severity issues affecting constructor selection, telemetry, retry mechanisms, and exception handling.","title":"Meridian Library Multiple Defense-in-Depth Gaps","url":"https://feed.craftedsignal.io/briefs/2026-04-17-meridian-defense-gaps/"}],"language":"en","title":"CraftedSignal Threat Feed — Defense-in-Depth","version":"https://jsonfeed.org/version/1.1"}