CVE-2025-11065 Overview
A vulnerability has been identified in github.com/go-viper/mapstructure/v2, specifically within the field processing component when using mapstructure.WeakDecode. This information disclosure vulnerability allows sensitive input values to be exposed through detailed error messages when malformed user-supplied data is processed in security-critical contexts.
Critical Impact
Sensitive data such as user credentials, API keys, or configuration values processed through mapstructure could be leaked via verbose error messages, potentially exposing confidential information to attackers.
Affected Products
- github.com/go-viper/mapstructure/v2 (versions prior to the security patch)
Discovery Timeline
- 2026-01-26 - CVE CVE-2025-11065 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2025-11065
Vulnerability Analysis
This vulnerability falls under CWE-209 (Generation of Error Message Containing Sensitive Information). When the mapstructure.WeakDecode function processes malformed input data, the resulting error messages include the raw input values that caused the parsing failure. In scenarios where sensitive data such as passwords, tokens, or personally identifiable information (PII) is being processed, these verbose error messages can inadvertently expose the sensitive values to unauthorized parties through application logs, API responses, or debugging output.
The vulnerability requires network access and user interaction to exploit, making it a targeted attack vector rather than an opportunistic one. An attacker would need to craft specific malformed input that triggers parsing errors while also having access to observe the resulting error messages, either through application logs, error responses, or other output channels.
Root Cause
The root cause lies in the error handling mechanism within mapstructure's type conversion functions. When numeric conversion operations fail via strconv functions, the original error message—which includes the problematic input value—was being directly propagated to the caller without sanitization. This design choice, while useful for debugging, creates a security risk when the library processes untrusted or sensitive data.
Attack Vector
An attacker can exploit this vulnerability by submitting malformed data to an application that uses mapstructure.WeakDecode for configuration parsing or data binding. If the application logs errors or returns them in API responses, the attacker can extract sensitive information that was included in the original input payload. The attack requires the attacker to observe error output, which may be achieved through:
- Direct access to application logs
- Error messages returned in HTTP responses
- Debug endpoints that expose internal errors
- Monitoring systems that capture application output
The following patch demonstrates how the vulnerability was addressed by wrapping strconv numeric errors to prevent value leakage:
return newDecodeError(name, &ParseError{
Expected: val,
Value: data,
- Err: err,
+ Err: wrapStrconvNumError(err),
})
}
case dataType.PkgPath() == "encoding/json" && dataType.Name() == "Number":
Source: GitHub Commit Reference
The fix introduces a wrapper function wrapStrconvNumError that sanitizes the error message to prevent the original input value from being exposed.
Detection Methods for CVE-2025-11065
Indicators of Compromise
- Application logs containing detailed error messages with user-supplied input values embedded in mapstructure parsing errors
- Unusual patterns of malformed input submissions that consistently trigger parsing errors
- Increased error rates in components utilizing mapstructure.WeakDecode for data processing
Detection Strategies
- Review application logs for error messages containing patterns like ParseError with sensitive data fragments
- Monitor for abnormal error generation rates in configuration parsing or data binding modules
- Implement log analysis rules to detect potential information leakage through verbose error output
- Audit code paths that use mapstructure.WeakDecode with untrusted input
Monitoring Recommendations
- Configure log aggregation systems to flag and alert on error messages containing potentially sensitive data patterns
- Implement application-level monitoring to track error rates in mapstructure-dependent components
- Review and sanitize all error messages before they reach logs or user-facing output
- Enable verbose logging only in development environments, not production
How to Mitigate CVE-2025-11065
Immediate Actions Required
- Update github.com/go-viper/mapstructure/v2 to the patched version containing commit 742921c9ba2854d27baa64272487fc5075d2c39c
- Review application code to identify all usages of mapstructure.WeakDecode with sensitive or untrusted data
- Implement error sanitization at the application layer as an additional defense-in-depth measure
- Audit logs for any historical exposure of sensitive data through error messages
Patch Information
The vulnerability has been addressed in a security patch available through the GitHub Commit Reference. Additional details are available in the GitHub Security Advisory and the Red Hat CVE Advisory.
Workarounds
- Implement custom error handling wrappers around mapstructure.WeakDecode calls to sanitize error messages before logging or returning them
- Configure application error handling to use generic error messages for user-facing output while retaining detailed errors only for secure internal logging
- Restrict access to application logs and error output to authorized personnel only
- Consider using mapstructure.Decode with strict validation where possible to reduce error surface area
# Update go-viper/mapstructure to the latest patched version
go get -u github.com/go-viper/mapstructure/v2@latest
# Verify the installed version includes the security fix
go list -m github.com/go-viper/mapstructure/v2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
