CVE-2025-11065

EUVD-2025-29426
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
golang-github-go-viper-mapstructure
forky
2.5.0-1
fixed
sid
2.5.0-2
fixed
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
alloy
suse enterprise desktop 15 SP7
1.11.3-150700.15.9.1
fixed
suse enterprise sap 15 SP7
1.11.3-150700.15.9.1
fixed
suse enterprise server 15 SP7
1.11.3-150700.15.9.1
fixed
cosign
suse enterprise desktop 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise sap 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise server 15 SP7
3.0.5-150400.3.35.1
fixed
cosign-bash-completion
suse enterprise desktop 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise sap 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise server 15 SP7
3.0.5-150400.3.35.1
fixed
cosign-zsh-completion
suse enterprise desktop 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise sap 15 SP7
3.0.5-150400.3.35.1
fixed
suse enterprise server 15 SP7
3.0.5-150400.3.35.1
fixed
Common Weakness Enumeration
References
https://access.redhat.com/security/cve/CVE-2025-11065
https://bugzilla.redhat.com/show_bug.cgi?id=2391829
https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c
https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm
https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm