Executive Summary

CVE-2025-11065 is an information disclosure vulnerability in the Go package github.com/go-viper/mapstructure/v2. It occurs when the library processes malformed user-supplied data using the mapstructure.WeakDecode function. During decoding failures, detailed error messages are generated that include the original input values, potentially leaking sensitive information in logs. This happens because parsing functions like strconv.ParseInt and time.ParseDuration embed the raw input data in their error messages. The vulnerability affects security-critical contexts where such detailed error logs can expose confidential input data. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to sensitive information disclosure through error logs when malformed input data is processed. Attackers with network access can send crafted malformed data that triggers decoding errors, causing the system to log detailed error messages containing the original input values. This leakage can expose confidential or sensitive data, potentially aiding further attacks. The impact is limited to confidentiality, with no effect on integrity or availability. Mitigation involves upgrading to mapstructure version 2.4.0 or later, which sanitizes error messages to prevent such leaks. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by observing logs generated by applications using the vulnerable mapstructure library (versions ≤ 2.3.0). Specifically, look for error messages that leak sensitive input values when malformed data is processed, such as errors containing raw input strings like invalid duration strings (e.g., "asdf") or other malformed fields during decoding operations. A proof of concept involves running an affected application (e.g., OpenBao in development mode) and sending malformed input to trigger error logs that expose sensitive data. While no specific commands are provided, monitoring application logs for detailed parsing error messages that include raw input data is key to detection. [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the mapstructure library to version 2.4.0 or later, where the vulnerability has been fixed by wrapping and sanitizing error messages to prevent sensitive information leakage. Until the upgrade can be applied, avoid processing malformed or untrusted input data in security-critical contexts and monitor logs for sensitive data exposure. Additionally, review and apply any patches or updates provided by your software vendors that incorporate the fixed library version. [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows sensitive information to be disclosed through detailed error messages that leak input values in security-critical contexts. Such unintended information disclosure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data and preventing unauthorized exposure. Therefore, organizations using affected versions of the mapstructure library may face compliance risks if this vulnerability is exploited, as it could result in exposure of personal or sensitive data through logs. [1, 2]

Useful 0 Not Useful 0