Bug 2391829 (CVE-2025-11065, GO-2025-3900) - CVE-2025-11065 github.com/go-viper/mapstructure/v2: Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure
Summary: CVE-2025-11065 github.com/go-viper/mapstructure/v2: Go-viper's mapstructure M...
Keywords:
Status: NEW
Alias: CVE-2025-11065, GO-2025-3900
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2399686 2399687 2399688 2399691 2399694 2399695 2399696 2399697 2399698 2399699 2399701 2399702 2399703 2399704 2399705 2399706 2399708 2399712 2399713 2399714 2399715 2399716 2399717 2399719 2399720 2399721 2399722 2399723 2399724 2399726 2399729 2375610 2396348 2399689 2399690 2399692 2399693 2399700 2399707 2399709 2399710 2399711 2399718 2399725 2399728
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-08-29 17:02 UTC by OSIDB Bzimport
Modified: 2025-10-22 03:16 UTC (History)
23 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-08-29 17:02:07 UTC 
Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure
Comment 4 Debarshi Ray 2025-09-28 22:45:25 UTC 
Another alias for this is GHSA-2464-8j7c-4cjm:
https://github.com/advisories/GHSA-2464-8j7c-4cjm

The security issue is fixed in github.com/go-viper/mapstructure/v2 version 2.4.0.
Comment 5 prudentclo 2025-10-22 03:16:32 UTC 
Thanks for reporting this issue. I’ve noticed similar behavior on my setup as well — it seems to be consistent across recent builds. Looking forward to any updates or patches from the maintainers. https://polytrack-game.io
Note You need to log in before you can comment on or make changes to this bug.