CVE-2025-11065
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk28th percentile - higher than 28% of all known CVEs
Summary
A flaw in the mapstructure library for Go causes information disclosure through detailed error messages. The WeakDecode function may leak sensitive input values in error messages when processing malformed data.
Risk Assessment
The organization risks exposure of confidential information such as passwords, API keys, or personal data, which could be revealed in logs or system responses. This may lead to data breaches and regulatory non-compliance.
Recommendation
Update the github.com/go-viper/mapstructure/v2 library to the latest patched version. As a workaround, avoid using WeakDecode in security-critical contexts and disable detailed error messages in production environments.
Original NVD description (English source)
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

