Attack Chain

1. An attacker sends a crafted request to an application using Meridian, including a large or self-referential collection in the request payload.
2. The application’s mapping logic utilizes IMapper.Map(source, destination) or .UseDestinationValue() on a collection property, triggering the vulnerable code path.
3. The MappingEngine.TryMapCollectionOntoExisting method processes the collection without enforcing DefaultMaxCollectionItems, leading to excessive memory consumption.
4. Collection-item recursion fails to increment ResolutionContext.Depth, allowing self-referential graphs to bypass DefaultMaxDepth and cause a stack overflow.
5. The unbounded collection processing consumes excessive CPU and memory resources, potentially blocking the worker thread.
6. Alternatively, an attacker exploits the ObjectCreator.CreateWithConstructorMapping vulnerability by providing input that bypasses constructor invariants due to the widest constructor being selected.
7. The application experiences a denial-of-service condition due to resource exhaustion or exhibits unintended behavior due to bypassed constructor invariants.

Impact

Successful exploitation of these vulnerabilities can lead to significant consequences. An attacker can cause denial-of-service by exhausting server resources, potentially impacting all users of the affected application. Information disclosure is possible through OpenTelemetry stack traces, and bypassing constructor invariants can lead to unexpected application behavior and potential data corruption. The high-severity vulnerabilities related to collection mapping are particularly concerning due to the potential for easy exploitation through a single crafted request. The impact is mitigated by upgrading to version 2.1.1 of the Meridian.Mapping and Meridian.Mediator libraries.

Recommendation

• Immediately upgrade to Meridian version 2.1.1 to patch the identified vulnerabilities, as documented in the v2.1.1 CHANGELOG.
• For applications that cannot be immediately upgraded, avoid using mapper.Map(src, dst) and .UseDestinationValue() on collection-typed destination members as a temporary workaround.
• Implement explicit size limits on input collection deserialization before passing the payload to Meridian, as described in the Workarounds section of this brief.
• Consider disabling OpenTelemetry exception.stacktrace tag emission if your trace sink is not fully trusted, mitigating potential information disclosure.