CVE Catalog

CVE-2025-11065

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile - higher than 28% of all known CVEs

Summary

A flaw in the mapstructure library for Go causes information disclosure through detailed error messages. The WeakDecode function may leak sensitive input values in error messages when processing malformed data.

Risk Assessment

The organization risks exposure of confidential information such as passwords, API keys, or personal data, which could be revealed in logs or system responses. This may lead to data breaches and regulatory non-compliance.

Recommendation

Update the github.com/go-viper/mapstructure/v2 library to the latest patched version. As a workaround, avoid using WeakDecode in security-critical contexts and disable detailed error messages in production environments.

Original NVD description (English source)

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS