CVE-2025-11065
📋 TL;DR
This vulnerability in the go-viper/mapstructure library allows information disclosure through detailed error messages that leak sensitive input values. Attackers can exploit this by submitting malformed data to applications using WeakDecode in security-critical contexts. Any application using affected versions of this Go library is potentially vulnerable.
💻 Affected Systems
- github.com/go-viper/mapstructure/v2
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive configuration data, API keys, or credentials could be exposed through error messages, potentially leading to full system compromise.
Likely Case
Partial information disclosure of configuration values or user input data through verbose error responses.
If Mitigated
Limited impact with proper error handling and input validation preventing sensitive data exposure.
🎯 Exploit Status
Exploitation requires submitting malformed data to trigger error messages with sensitive information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.0.0-beta.1 and later
Vendor Advisory: https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm
Restart Required: Yes
Instructions:
1. Update go.mod to require github.com/go-viper/mapstructure/v2 v2.0.0-beta.1 or later. 2. Run 'go mod tidy'. 3. Rebuild and redeploy your application. 4. Restart affected services.
🔧 Temporary Workarounds
Implement custom error handling
allWrap mapstructure.WeakDecode calls with custom error handling that sanitizes error messages before returning to users.
Input validation
allValidate and sanitize all user input before passing to mapstructure.WeakDecode to prevent malformed data triggering verbose errors.
🧯 If You Can't Patch
- Implement application-level error handling to sanitize all error messages before returning to users.
- Disable verbose error reporting in production environments and implement generic error messages.
🔍 How to Verify
Check if Vulnerable:
Check go.mod for github.com/go-viper/mapstructure/v2 version. If version is below v2.0.0-beta.1, the application is vulnerable.Check Version:
grep 'github.com/go-viper/mapstructure/v2' go.modVerify Fix Applied:
Verify go.mod requires github.com/go-viper/mapstructure/v2 v2.0.0-beta.1 or later, and test that malformed input no longer returns sensitive data in error messages.📡 Detection & Monitoring
Log Indicators:
- Verbose error messages containing user input or configuration data
- Multiple failed parsing attempts with malformed data
Network Indicators:
- HTTP responses containing detailed error messages with potentially sensitive data
SIEM Query:
search error_message="*mapstructure.WeakDecode*" AND (error_message="*password*" OR error_message="*key*" OR error_message="*secret*")🔗 References
- https://access.redhat.com/security/cve/CVE-2025-11065
- https://bugzilla.redhat.com/show_bug.cgi?id=2391829
- https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c
- https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm
- https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm
