CVE-2025-11065: 
Linux Debian vulnerability analysis and mitigation

Go-viper's mapstructure library (github.com/go-viper/mapstructure/v2) versions 2.3.0 and earlier contain a security vulnerability identified as CVE-2025-11065. The vulnerability was discovered in August 2025 and could potentially leak sensitive information in logs when processing malformed data. This issue affects applications using the mapstructure library for processing sensitive fields, particularly impacting security-critical contexts (GHSA Advisory).

The vulnerability occurs when the library processes malformed data and surfaces error messages containing sensitive information through various decode helpers. The issue manifests when using functions like WeakDecode() which eventually calls decode helpers that expose original values via strconv helpers. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating network attack vector, high attack complexity, no privileges required, and potential for high confidentiality impact (GHSA Advisory).

The vulnerability can lead to information disclosure in security-critical contexts. When processing sensitive fields, the library may leak sensitive information through error messages and logs. This is particularly concerning for applications like OpenBao and HashiCorp Vault that use the library for processing sensitive data (GHSA Advisory).

The vulnerability has been fixed in github.com/go-viper/mapstructure/v2 version 2.4.0. Users are advised to upgrade to this patched version to prevent potential information leakage (Red Hat Bugzilla).