Bug 2375247 (GHSA-fv92-fjc5-jj9h)

Summary: github.com/go-viper/mapstructure/v2: mapstructure May Leak Sensitive Information
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerability-draftAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alcohan, brainfor, cfergeau, debarshir, gparvin, jbalunas, jkoehler, ldai, lphiri, lsharar, lucarval, mwringe, njean, owatkins, pahickey, rhaigner, sdawley
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An information disclosure flaw has been discovered in mapstructure. When the library encounters an error while processing sensitive information it may insert the sensitive information into an error log.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-07-04 07:45:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2375621, 2375623, 2375626, 2375601, 2375602, 2375603, 2375604, 2375605, 2375606, 2375607, 2375608, 2375609, 2375610, 2375611, 2375612, 2375613, 2375614, 2375615, 2375616, 2375617, 2375618, 2375619, 2375620, 2375622, 2375624, 2375625, 2375627, 2375628, 2375629, 2375630, 2375631, 2375632    
Bug Blocks:    

Description OSIDB Bzimport 2025-06-27 20:01:15 UTC 
### Summary

Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields.

### Details

OpenBao (and presumably HashiCorp Vault) have surfaced error messages from `mapstructure` as follows:

https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L43-L50

```go
			_, _, err := d.getPrimitive(field, schema)
			if err != nil {
				return fmt.Errorf("error converting input for field %q: %w", field, err)
			}
```

where this calls `mapstructure.WeakDecode(...)`: https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L181-L193

```go

func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bool, error) {
	raw, ok := d.Raw[k]
	if !ok {
		return nil, false, nil
	}

	switch t := schema.Type; t {
	case TypeBool:
		var result bool
		if err := mapstructure.WeakDecode(raw, &result); err != nil {
			return nil, false, err
		}
		return result, true, nil
```

Notably, `WeakDecode(...)` eventually calls one of the decode helpers, which surfaces the original value:

https://github.com/go-viper/mapstructure/blob/1a66224d5e54d8757f63bd66339cf764c3292c21/mapstructure.go#L679-L686

https://github.com/go-viper/mapstructure/blob/1a66224d5e54d8757f63bd66339cf764c3292c21/mapstructure.go#L726-L730

https://github.com/go-viper/mapstructure/blob/1a66224d5e54d8757f63bd66339cf764c3292c21/mapstructure.go#L783-L787

& more.

### PoC

To reproduce with OpenBao:

```
$ podman run -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300
```

and in a new tab:

```
$ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"password":{"asdf":"my-sensitive-value"}}' "http://localhost:8300/v1/auth/userpass/users/adsf"
{"errors":["error converting input for field \"password\": '' expected type 'string', got unconvertible type 'map[string]interface {}', value: 'map[asdf:my-sensitive-value]'"]}
```

### Impact

This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at `'' expected a map, got 'string'` -- when the field type is `string` and a `map` is provided, we see the above information leak -- the previous example had a `map` type field with a `string` value provided).

This was rated 4.5 Medium by HashiCorp in the past iteration.
Comment 2 Christophe Fergeau 2025-07-04 07:45:42 UTC 
gvisor-tap-vsock only use  github.com/go-viper/mapstructure/v2 through golangci-lint, which is optionally used at build time to run static checks on the source code. This code does not handle sensitive data, so no information to disclose. Closing the bug.
Comment 3 Christophe Fergeau 2025-07-04 07:46:35 UTC 
I was looking at the wrong bug :-/
Comment 4 Debarshi Ray 2025-08-05 22:08:32 UTC 
Am I missing something or is the version of github.com/go-viper/mapstructure/v2 where this security bug is fixed is not mentioned at all in this report?

Based on the notification that we received upstream, I believe this is fixed in github.com/go-viper/mapstructure/v2 version 2.3.0:
https://github.com/containers/toolbox/security/dependabot/22
Comment 5 Debarshi Ray 2025-08-05 22:13:27 UTC 
*** Bug 2384095 has been marked as a duplicate of this bug. ***