Skip to content

[NPM] [Vulnerability] Resolve ghsa-2464-8j7c-4cjm in github.com/go-viper/mapstructure/v2 Library. #4090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Oct 22, 2025
Merged

[NPM] [Vulnerability] Resolve ghsa-2464-8j7c-4cjm in github.com/go-viper/mapstructure/v2 Library. #4090

merged 6 commits into from
Oct 22, 2025

Conversation

@rayaisaiah
Copy link
Contributor

@rayaisaiah rayaisaiah commented Oct 20, 2025
edited
Loading

Reason for Change:
Resolves ghsa 2464 8j7c 4cjm in the github.com/go-viper/mapstructure/v2 library in NPM's gobinary.

v1.6.33 (Current NPM Image):

mcr.microsoft.com/containernetworking/azure-npm:v1.6.33 (ubuntu 24.04)

Total: 9 (UNKNOWN: 0, LOW: 1, MEDIUM: 8, HIGH: 0, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────┬──────────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Status │ Installed Version │   Fixed Version   │                            Title                             │
├────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ dpkg               │ CVE-2025-6297  │ LOW      │ fixed  │ 1.22.6ubuntu6.1   │ 1.22.6ubuntu6.5   │ It was discovered that dpkg-deb does not properly sanitize   │
│                    │                │          │        │                   │                   │ directory p ......                                           │
│                    │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2025-6297                    │
├────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ libc-bin           │ CVE-2025-8058  │ MEDIUM   │        │ 2.39-0ubuntu8.5   │ 2.39-0ubuntu8.6   │ glibc: Double free in glibc                                  │
│                    │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2025-8058                    │
├────────────────────┤                │          │        │                   │                   │                                                              │
│ libc6              │                │          │        │                   │                   │                                                              │
│                    │                │          │        │                   │                   │                                                              │
├────────────────────┼────────────────┤          │        ├───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ libpam-modules     │ CVE-2024-10963 │          │        │ 1.5.3-5ubuntu5.4  │ 1.5.3-5ubuntu5.5  │ pam: Improper Hostname Interpretation in pam_access Leads to │
│                    │                │          │        │                   │                   │ Access Control Bypass                                        │
│                    │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-10963                   │
├────────────────────┤                │          │        │                   │                   │                                                              │
│ libpam-modules-bin │                │          │        │                   │                   │                                                              │
│                    │                │          │        │                   │                   │                                                              │
│                    │                │          │        │                   │                   │                                                              │
├────────────────────┤                │          │        │                   │                   │                                                              │
│ libpam-runtime     │                │          │        │                   │                   │                                                              │
│                    │                │          │        │                   │                   │                                                              │
│                    │                │          │        │                   │                   │                                                              │
├────────────────────┤                │          │        │                   │                   │                                                              │
│ libpam0g           │                │          │        │                   │                   │                                                              │
│                    │                │          │        │                   │                   │                                                              │
│                    │                │          │        │                   │                   │                                                              │
├────────────────────┼────────────────┤          │        ├───────────────────┼───────────────────┼──────────────────────────────────────────────────────────────┤
│ libssl3t64         │ CVE-2025-9230  │          │        │ 3.0.13-0ubuntu3.5 │ 3.0.13-0ubuntu3.6 │ openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap   │
│                    │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2025-9230                    │
├────────────────────┤                │          │        │                   │                   │                                                              │
│ openssl            │                │          │        │                   │                   │                                                              │
│                    │                │          │        │                   │                   │                                                              │
└────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────┴──────────────────────────────────────────────────────────────┘

usr/bin/azure-npm (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│               Library               │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ github.com/go-viper/mapstructure/v2 │ GHSA-2464-8j7c-4cjm │ MEDIUM   │ fixed  │ v2.3.0            │ 2.4.0         │ go-viper's mapstructure May Leak Sensitive Information in │
│                                     │                     │          │        │                   │               │ Logs When Processing Malformed Data...                    │
│                                     │                     │          │        │                   │               │ https://github.com/advisories/GHSA-2464-8j7c-4cjm         │
└─────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

CVE Fix:

acnpublic.azurecr.io/azure-npm:v1.6.34Fix (ubuntu 24.04)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Issue Fixed:

Requirements:

Notes:

@rayaisaiah rayaisaiah requested a review from a team as a code owner October 20, 2025 18:52
Copilot AI review requested due to automatic review settings October 20, 2025 18:52
@rayaisaiah rayaisaiah added the npm Related to NPM. label Oct 20, 2025
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security vulnerability (GHSA-2464-8j7c-4cjm) in the github.com/go-viper/mapstructure/v2 library by upgrading from v2.3.0 to v2.4.0. The vulnerability could potentially leak sensitive information in logs when processing malformed data.

  • Updates the github.com/go-viper/mapstructure/v2 dependency from v2.3.0 to v2.4.0
  • Resolves MEDIUM severity security vulnerability in NPM's gobinary
  • Eliminates all vulnerabilities in the azure-npm container image

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@rayaisaiah rayaisaiah changed the title [NPM] [Vulnerability] Resolve ghsa 2464 8j7c 4cjm in github.com/go-viper/mapstructure/v2 Library. [NPM] [Vulnerability] Resolve ghsa-2464-8j7c-4cjm in github.com/go-viper/mapstructure/v2 Library. Oct 20, 2025
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Oct 20, 2025

/azp run Azure Container Networking PR, NPM Scale Test, NPM Conformance Tests

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 20, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Oct 20, 2025
edited
Loading

Conformance ✅: https://msazure.visualstudio.com/One/_build/results?buildId=140935955&view=results
Scale ✅: https://msazure.visualstudio.com/One/_build/results?buildId=140935994&view=results

matmerr
matmerr previously approved these changes Oct 20, 2025
View reviewed changes
@rayaisaiah rayaisaiah enabled auto-merge October 20, 2025 22:34
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Oct 20, 2025

/azp run Azure Container Networking PR

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 20, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah rayaisaiah added this pull request to the merge queue Oct 20, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Oct 21, 2025
@rayaisaiah rayaisaiah added this pull request to the merge queue Oct 21, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Oct 21, 2025
@rayaisaiah rayaisaiah added this pull request to the merge queue Oct 21, 2025
@rayaisaiah rayaisaiah removed this pull request from the merge queue due to a manual request Oct 21, 2025
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Oct 21, 2025

/azp run Azure Container Networking PR

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 21, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah rayaisaiah enabled auto-merge October 21, 2025 17:16
jpayne3506
jpayne3506 previously approved these changes Oct 21, 2025
View reviewed changes
rbtr
rbtr previously approved these changes Oct 21, 2025
View reviewed changes
@rayaisaiah rayaisaiah added this pull request to the merge queue Oct 21, 2025
@rayaisaiah rayaisaiah removed this pull request from the merge queue due to a manual request Oct 21, 2025
@rayaisaiah rayaisaiah dismissed stale reviews from rbtr and jpayne3506 via f607636 October 21, 2025 21:24
@rayaisaiah rayaisaiah requested review from jpayne3506 and rbtr October 21, 2025 21:25
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Oct 21, 2025

/azp run Azure Container Networking PR

@rayaisaiah rayaisaiah enabled auto-merge October 21, 2025 21:26
@azure-pipelines
Copy link

azure-pipelines bot commented Oct 21, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Oct 21, 2025

/azp run Azure Container Networking PR

@azure-pipelines
Copy link

azure-pipelines bot commented Oct 21, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@jpayne3506 jpayne3506 disabled auto-merge October 21, 2025 21:50
@rayaisaiah rayaisaiah added this pull request to the merge queue Oct 21, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Oct 22, 2025
@paulyufan2 paulyufan2 added this pull request to the merge queue Oct 22, 2025
@rayaisaiah rayaisaiah removed this pull request from the merge queue due to a manual request Oct 22, 2025
@rayaisaiah rayaisaiah added this pull request to the merge queue Oct 22, 2025
Merged via the queue into release/v1.6 with commit b2762a3 Oct 22, 2025
10 of 15 checks passed
@rayaisaiah rayaisaiah deleted the isaiahraya/npm-cve-GHSA-2464-8j7c-4cjm branch October 22, 2025 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jpayne3506 jpayne3506 jpayne3506 approved these changes

@matmerr matmerr matmerr left review comments

@ramiro-gamarra ramiro-gamarra Awaiting requested review from ramiro-gamarra ramiro-gamarra is a code owner automatically assigned from Azure/azure-sdn-members

@rbtr rbtr Awaiting requested review from rbtr

Assignees

No one assigned

Labels

linux npm Related to NPM.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rayaisaiah @rbtr @matmerr @jpayne3506