logo

Database

Log injection In github.com/go-viper/mapstructure/v2

Description

Duplicate Advisory: go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-2464-8j7c-4cjm. This link is maintained to preserve external references.

Original Description

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2025-110652. GHSA-2464-8j7c-4cjm3. GCVE-GHSA-86rf-68f4-2cph4. ACCESS-CVE-2025-11065

References

1. https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm2. https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c3. https://bugzilla.redhat.com/show_bug.cgi?id=2391829

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.