CVE-2025-11065 — Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-

Description

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

How to fix CVE-2025-11065

To remediate CVE-2025-11065, upgrade the affected package to a fixed version below.

—no fix listed
—no fix listed
—upgrade to 2.4.0 or later
—upgrade to 2.4.0 or later

Is CVE-2025-11065 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0
from 0
from 0, < 2.4.0
from 0, < 2.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-11065
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-11065
PATCHgithub.com/go-viper/mapstructure
WEBaccess.redhat.com/security/cve/CVE-2025-11065
WEB