chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] #1013

renovate-sh-app · 2025-10-23T12:17:51Z

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-viper/mapstructure/v2	`v2.3.0` -> `v2.4.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-2464-8j7c-4cjm

Summary

Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields.

Details

OpenBao (and presumably HashiCorp Vault) have surfaced error messages from mapstructure as follows:

https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L43-L50

			_, _, err := d.getPrimitive(field, schema)
			if err != nil {
				return fmt.Errorf("error converting input for field %q: %w", field, err)
			}

where this calls mapstructure.WeakDecode(...): https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L181-L193

func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bool, error) {
	raw, ok := d.Raw[k]
	if !ok {
		return nil, false, nil
	}

	switch t := schema.Type; t {
	case TypeBool:
		var result bool
		if err := mapstructure.WeakDecode(raw, &result); err != nil {
			return nil, false, err
		}
		return result, true, nil

Notably, WeakDecode(...) eventually calls one of the decode helpers, which surfaces the original value via strconv helpers:

https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L720-L727

https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L791-L798

https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/decode_hooks.go#L180

& more. These are different code paths than are fixed in the previous iteration at GHSA-fv92-fjc5-jj9h.

PoC

To reproduce with OpenBao:

$ podman run --pull=always -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300

and in a new tab:

$ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"ttl":"asdf"}' "http://localhost:8200/v1/auth/userpass/users/asdf"

--> server logs:

2025-06-25T21:32:25.101-0500 [ERROR] core: failed to run existence check: error="error converting input for field \"ttl\": time: invalid duration \"asdf\""

Impact

This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at '' expected a map, got 'string' -- when the field type is string and a map is provided, we see the above information leak -- the previous example had a map type field with a string value provided).

This was rated 4.5 Medium by HashiCorp in the past iteration.

Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure

GHSA-2464-8j7c-4cjm / GO-2025-3900

More information

Details

Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data

GHSA-2464-8j7c-4cjm / GO-2025-3900

More information

Details

Summary

Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields.

Details

OpenBao (and presumably HashiCorp Vault) have surfaced error messages from mapstructure as follows:

https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L43-L50

			_, _, err := d.getPrimitive(field, schema)
			if err != nil {
				return fmt.Errorf("error converting input for field %q: %w", field, err)
			}

where this calls mapstructure.WeakDecode(...): https://github.com/openbao/openbao/blob/98c3a59c040efca724353ca46ca79bd5cdbab920/sdk/framework/field_data.go#L181-L193

func (d *FieldData) getPrimitive(k string, schema *FieldSchema) (interface{}, bool, error) {
	raw, ok := d.Raw[k]
	if !ok {
		return nil, false, nil
	}

	switch t := schema.Type; t {
	case TypeBool:
		var result bool
		if err := mapstructure.WeakDecode(raw, &result); err != nil {
			return nil, false, err
		}
		return result, true, nil

Notably, WeakDecode(...) eventually calls one of the decode helpers, which surfaces the original value via strconv helpers:

https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L720-L727

https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/mapstructure.go#L791-L798

https://github.com/go-viper/mapstructure/blob/8c61ec1924fcfa522f9fc6b4618c672db61d1a38/decode_hooks.go#L180

& more. These are different code paths than are fixed in the previous iteration at GHSA-fv92-fjc5-jj9h.

PoC

To reproduce with OpenBao:

$ podman run --pull=always -p 8300:8300 openbao/openbao:latest server -dev -dev-root-token-id=root -dev-listen-address=0.0.0.0:8300

and in a new tab:

$ BAO_TOKEN=root BAO_ADDR=http://localhost:8300 bao auth enable userpass
Success! Enabled userpass auth method at: userpass/
$ curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: root" -d '{"ttl":"asdf"}' "http://localhost:8200/v1/auth/userpass/users/asdf"

--> server logs:

2025-06-25T21:32:25.101-0500 [ERROR] core: failed to run existence check: error="error converting input for field \"ttl\": time: invalid duration \"asdf\""

Impact

This is an information disclosure bug with little mitigation. See https://discuss.hashicorp.com/t/hcsec-2025-09-vault-may-expose-sensitive-information-in-error-logs-when-processing-malformed-data-with-the-kv-v2-plugin/74717 for a previous version. That version was fixed, but this is in the second part of that error message (starting at '' expected a map, got 'string' -- when the field type is string and a map is provided, we see the above information leak -- the previous example had a map type field with a string value provided).

This was rated 4.5 Medium by HashiCorp in the past iteration.

Severity

CVSS Score: 5.3 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

go-viper/mapstructure (github.com/go-viper/mapstructure/v2)

`v2.4.0`

Compare Source

What's Changed

refactor: replace interface{} with any by @sagikazarmark in #115
build(deps): bump github/codeql-action from 3.29.0 to 3.29.2 by @dependabot[bot] in #114
Generic tests by @sagikazarmark in #118
Fix godoc reference link in README.md by @peczenyj in #107
feat: add StringToTimeLocationHookFunc to convert strings to *time.Location by @ErfanMomeniii in #117
feat: add back previous StringToSlice as a weak function by @sagikazarmark in #119

New Contributors

@ErfanMomeniii made their first contribution in #117

Full Changelog: go-viper/mapstructure@v2.3.0...v2.4.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

…4.0 [security] | datasource | package | from | to | | ---------- | ----------------------------------- | ------ | ------ | | go | github.com/go-viper/mapstructure/v2 | v2.3.0 | v2.4.0 | Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>

renovate-sh-app bot added automerge-security-update severity:UNKNOWN labels Oct 23, 2025

renovate-sh-app bot enabled auto-merge (squash) October 23, 2025 12:17

renovate-sh-app bot changed the title ~~chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security]~~ chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] - autoclosed Oct 24, 2025

renovate-sh-app bot closed this Oct 24, 2025

auto-merge was automatically disabled October 24, 2025 18:16
Pull request was closed

renovate-sh-app bot deleted the renovate/go-github.com-go-viper-mapstructure-v2-vulnerability branch October 24, 2025 18:16

renovate-sh-app bot changed the title ~~chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] - autoclosed~~ chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] Oct 24, 2025

renovate-sh-app bot reopened this Oct 24, 2025

renovate-sh-app bot force-pushed the renovate/go-github.com-go-viper-mapstructure-v2-vulnerability branch 2 times, most recently from 8e6bc8f to d5f45fa Compare October 24, 2025 21:17

renovate-sh-app bot enabled auto-merge (squash) October 25, 2025 00:15

renovate-sh-app bot changed the title ~~chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security]~~ chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] - autoclosed Oct 25, 2025

renovate-sh-app bot closed this Oct 25, 2025

auto-merge was automatically disabled October 25, 2025 03:18
Pull request was closed

renovate-sh-app bot changed the title ~~chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] - autoclosed~~ chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] Oct 25, 2025

renovate-sh-app bot reopened this Oct 25, 2025

renovate-sh-app bot force-pushed the renovate/go-github.com-go-viper-mapstructure-v2-vulnerability branch 2 times, most recently from d5f45fa to 1d4a9fa Compare October 25, 2025 03:42

renovate-sh-app bot enabled auto-merge (squash) October 25, 2025 06:15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] #1013

chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] #1013

Uh oh!

renovate-sh-app bot commented Oct 23, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] #1013

Are you sure you want to change the base?

chore(deps): update module github.com/go-viper/mapstructure/v2 to v2.4.0 [security] #1013

Uh oh!

Conversation

renovate-sh-app bot commented Oct 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

GHSA-2464-8j7c-4cjm

Summary

Details

PoC

Impact

Go-viper's mapstructure May Leak Sensitive Information in Logs in github.com/go-viper/mapstructure

Details

Severity

References

go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data

Details

Summary

Details

PoC

Impact

Severity

References

Release Notes

v2.4.0

What's Changed

New Contributors

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate-sh-app bot commented Oct 23, 2025 •

edited

Loading

`v2.4.0`