CVE-2025-11065

package main import ( "fmt" "github.com/go-viper/mapstructure/v2" ) // Target struct that may contain sensitive fields type Config struct { APIKey string `mapstructure:"api_key"` SecretKey string `mapstructure:"secret_key"` Username string `mapstructure:"username"` } func main() { // Simulating user-supplied malformed input // Attacker can inject sensitive-looking keys to trigger error leakage malformedInput := map[string]interface{}{ "api_key": "user_provided_value", "secret_key": "another_value", "extra_field": 12345, // This field doesn't exist in Config } var config Config // Using WeakDecode - vulnerable function // Error messages may leak input values err := mapstructure.WeakDecode(malformedInput, &config) if err != nil { // Error message contains detailed input information // In real attack, this could be logged or displayed to user fmt.Printf("Decode error: %v\n", err) fmt.Printf("Input data: %+v\n", malformedInput) } // Example of successful information disclosure scenario // When error messages are exposed in logs or API responses sensitiveConfig := map[string]interface{}{ "password": "super_secret_password_123", } var authConfig struct { Password string `mapstructure:"password"` } // This error might expose the password in logs err = mapstructure.WeakDecode(sensitiveConfig, &authConfig) if err != nil { // Log or response that exposes sensitive data fmt.Printf("Authentication error: %v\n", err) } }

{"cve": {"id": "CVE-2025-11065", "sourceIdentifier": "[email protected]", "published": "2026-01-26T20:16:06.840", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts."}, {"lang": "es", "value": "Se encontró una falla en github.com/go-viper/mapstructure/v2, en el componente de procesamiento de campos que utiliza mapstructure.WeakDecode. Esta vulnerabilidad permite la revelación de información a través de mensajes de error detallados que pueden filtrar valores de entrada sensibles a través de datos malformados proporcionados por el usuario procesados en contextos críticos para la seguridad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-209"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-11065", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2391829", "source": "[email protected]"}, {"url": "https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c", "source": "[email protected]"}, {"url": "https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm", "source": "[email protected]"}, {"url": "https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}