Allocation of Resources Without Limits or Throttling in meridian.mediator

Q: How to fix?

Upgrade Meridian.Mediator to version 2.1.1 or higher.

Introduced: 16 Apr 2026

How to fix?

Upgrade Meridian.Mediator to version 2.1.1 or higher.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the MappingEngine.TryMapCollectionOntoExisting object through Map(src) call. An attacker can exhaust system resources and cause application downtime by submitting large collection payloads that bypass intended safety caps.

Note:

The vendor disclosed several security gaps in publicly accessible APIs, ranging from Low to High severity. For more details see their Security Advisory.

References

GitHub Advisory
GitHub ChangeLog
GitHub Commit
GitHub Release

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting meridian.mediator package, versions [,2.1.1)

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 16 Apr 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk