2384095 – (GO-2025-3787) github.com/go-viper/mapstructure/v2: go-viper information leak

Bug 2384095 (GO-2025-3787) - github.com/go-viper/mapstructure/v2: go-viper information leak

Summary: github.com/go-viper/mapstructure/v2: go-viper information leak

Keywords:
Status:	CLOSED DUPLICATE of bug 2375247
Alias:	GO-2025-3787
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2384133 2384139 2384140 2384141 2384142 2384143 2384146 2384150 2384151 2384155 2384156 2384157 2384158 2384159 2384161 2384165 2375610 2375617 2375632 2384134 2384135 2384136 2384137 2384138 2384144 2384145 2384147 2384148 2384149 2384152 2384153 2384154 2384160 2384162 2384163 2384164 2384166 2384167
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-28 22:01 UTC by OSIDB Bzimport
Modified:	2025-10-06 12:12 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-08-05 22:13:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-28 22:01:44 UTC

May leak sensitive information in logs when processing malformed data in github.com/go-viper/mapstructure

Comment 2 Debarshi Ray 2025-08-05 22:13:27 UTC

GO-2025-3787 and GHSA-fv92-fjc5-jj9h are the same security bug:
https://pkg.go.dev/vuln/GO-2025-3787
https://github.com/advisories/GHSA-fv92-fjc5-jj9h

Hence, this is a duplicate of bug 2375247

*** This bug has been marked as a duplicate of bug 2375247 ***

Note You need to log in before you can comment on or make changes to this bug.