Fluid Attacks Database

Description

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	golang-github-go-viper-mapstructure	=2.2.1-1 \|\| =2.2.1-2 \|\| =2.4.0-1 \|\| =2.5.0-1	-
debian 14	golang-github-go-viper-mapstructure	=2.2.1-1 \|\| =2.2.1-2 \|\| >=0 <2.4.0-1	2.4.0-1
go	github.com/go-viper/mapstructure	-	-
go	github.com/go-viper/mapstructure/v2	>=0 <2.4.0	2.4.0
rpm rhel9	toolbox	-	-
rpm rhel10	toolbox	-	-
rpm rhel9	gvisor-tap-vsock	-	-
rpm rhel10	opentelemetry-collector	-	-
rpm rhel9	opentelemetry-collector	-	-
rpm rhel10	gvisor-tap-vsock	-	-

Aliases

1. CVE-2025-110652. NVD-2025-110653. OSV-DEBIAN-2025-110654. OSV-2025-110655. OSV-GO-2025-39006. GHSA-2464-8j7c-4cjm7. GCVE-2025-110658. SECURITY-TRACKER-CVE-2025-110659. GHSA-2464-8j7c-4cjm10. ACCESS-CVE-2025-11065

References

1. https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c2. https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm3. https://bugzilla.redhat.com/show_bug.cgi?id=23918294. https://pkg.go.dev/vuln/GO-2025-3900

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.