GHSA-86rf-68f4-2cph: Duplicate Advisory: go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2464-8j7c-4cjm. This link is maintained to preserve external references.
Original Description
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
References
- access.redhat.com/security/cve/CVE-2025-11065
- bugzilla.redhat.com/show_bug.cgi?id=2391829
- github.com/advisories/GHSA-86rf-68f4-2cph
- github.com/go-viper/mapstructure
- github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c
- github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm
- nvd.nist.gov/vuln/detail/CVE-2025-11065
Code Behaviors & Features
Detect and mitigate GHSA-86rf-68f4-2cph with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →