This advisory has been withdrawn because it is a duplicate of GHSA-2464-8j7c-4cjm. This link is maintained to preserve external references.
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
{
"github_reviewed_at": "2026-01-27T21:00:31Z",
"nvd_published_at": "2026-01-26T20:16:06Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-117"
],
"severity": "MODERATE"
}