CVE-2025-11065
Information Disclosure via WeakDecode in go-viper/mapstructure Field Processing
Publication date: 2026-01-26
Last updated on: 2026-02-03
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | mapstructure | 2.4.0 |
| unknown_vendor | mapstructure | to 2.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-11065 is an information disclosure vulnerability in the Go package github.com/go-viper/mapstructure/v2. It occurs when the library processes malformed user-supplied data using the mapstructure.WeakDecode function. During decoding failures, detailed error messages are generated that include the original input values, potentially leaking sensitive information in logs. This happens because parsing functions like strconv.ParseInt and time.ParseDuration embed the raw input data in their error messages. The vulnerability affects security-critical contexts where such detailed error logs can expose confidential input data. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to sensitive information disclosure through error logs when malformed input data is processed. Attackers with network access can send crafted malformed data that triggers decoding errors, causing the system to log detailed error messages containing the original input values. This leakage can expose confidential or sensitive data, potentially aiding further attacks. The impact is limited to confidentiality, with no effect on integrity or availability. Mitigation involves upgrading to mapstructure version 2.4.0 or later, which sanitizes error messages to prevent such leaks. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing logs generated by applications using the vulnerable mapstructure library (versions β€ 2.3.0). Specifically, look for error messages that leak sensitive input values when malformed data is processed, such as errors containing raw input strings like invalid duration strings (e.g., "asdf") or other malformed fields during decoding operations. A proof of concept involves running an affected application (e.g., OpenBao in development mode) and sending malformed input to trigger error logs that expose sensitive data. While no specific commands are provided, monitoring application logs for detailed parsing error messages that include raw input data is key to detection. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the mapstructure library to version 2.4.0 or later, where the vulnerability has been fixed by wrapping and sanitizing error messages to prevent sensitive information leakage. Until the upgrade can be applied, avoid processing malformed or untrusted input data in security-critical contexts and monitor logs for sensitive data exposure. Additionally, review and apply any patches or updates provided by your software vendors that incorporate the fixed library version. [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows sensitive information to be disclosed through detailed error messages that leak input values in security-critical contexts. Such unintended information disclosure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized exposure. Therefore, organizations using affected versions of the mapstructure library may face compliance risks if this vulnerability is exploited, as it could result in exposure of personal or sensitive data through logs. [1, 2]