CVE-2025-11065

EUVD-2025-206346
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
redhatCNA
5.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Debian logo
Debian Releases
Debian Product
Codename
golang-github-go-viper-mapstructure
forky
2.4.0-1
fixed
sid
2.4.0-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-11065
https://bugzilla.redhat.com/show_bug.cgi?id=2391829
https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c
https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm
https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm