Bug 2391829 (CVE-2025-11065, GO-2025-3900)
| Summary: | CVE-2025-11065 github.com/go-viper/mapstructure/v2: Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alcohan, anjoseph, bkabrda, brainfor, clarencemiddleton12, debarshir, gparvin, jbalunas, jkoehler, jprabhak, lball, ldai, lphiri, lsharar, lucarval, mwringe, ngough, owatkins, pahickey, rhaigner, sdawley, veshanka, wtam |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2399686, 2399688, 2399712, 2399713, 2399714, 2399715, 2399719, 2399726, 2375610, 2396348, 2399687, 2399689, 2399690, 2399691, 2399692, 2399693, 2399694, 2399695, 2399696, 2399697, 2399698, 2399699, 2399700, 2399701, 2399702, 2399703, 2399704, 2399705, 2399706, 2399707, 2399708, 2399709, 2399710, 2399711, 2399716, 2399717, 2399718, 2399720, 2399721, 2399722, 2399723, 2399724, 2399725, 2399728, 2399729 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-08-29 17:02:07 UTC
Another alias for this is GHSA-2464-8j7c-4cjm: https://github.com/advisories/GHSA-2464-8j7c-4cjm The security issue is fixed in github.com/go-viper/mapstructure/v2 version 2.4.0. Thanks for reporting this issue. I’ve noticed similar behavior on my setup as well — it seems to be consistent across recent builds. Looking forward to any updates or patches from the maintainers. https://polytrack-game.io |