Listen to this Post
The vulnerability exists within the `mapstructure.WeakDecode()` function’s error handling mechanism. When processing user-supplied data, such as JSON payloads destined for environment variables or configuration structs, the function can encounter type conversion errors (e.g., attempting to decode a string into an integer field). In security-critical contexts where detailed error logging is enabled, the resulting error messages may include the raw, malformed input values provided by the user. This can lead to the unintended exposure of sensitive data, such as passwords or API keys submitted in the payload, within application logs or error responses sent back to the client.
dailycve form:
Platform: Go-Viper/mapstructure
Version: v2
Vulnerability: Information Disclosure Logs
Severity: Moderate
Date: 2026-01-26
Prediction: Patch: 2026-01-27
What Undercode Say:
Analytics:
grep -r "mapstructure.WeakDecode" ./ --include=".go"
err := mapstructure.WeakDecode(inputData, &config)
if err != nil {
log.Printf("Decode failed: %v", err) // Vulnerable line
}
How Exploit:
POST /configure
Content-Type: application/json
{"password": 123, "api_key": true}
ERROR: failed to decode config: 1 error(s) decoding: 'password' expected type 'string', got unconverted type 'float64' with value: 123 'api_key' expected type 'string', got unconverted type 'bool' with value: true
Protection from this CVE:
Update to patched version.
Use generic error messages.
Sanitize logs automatically.
Impact:
Sensitive data exposure.
Credential leakage via logs.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

