Headline
GHSA-r92c-9c7f-3pj8: OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format
Impact
Unauthenticated denial of service.
Summary
When installing module packages from attacker-controlled sources, tofu init may cause high CPU usage when encountering maliciously-crafted .zip archives for either provider or module distribution packages.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete in a timely manner. Other processes running on the same computer as OpenTofu may also have their performance degraded due to the high CPU usage.
These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.
Details
OpenTofu relies on a third-party implementation of .zip archive extraction from the standard library of the Go programming language. The Go project has recently published a minor release (Go 1.25.6) to address a problem of potential excessive CPU usage when accessing files in a maliciously-crafted .zip archive.
OpenTofu’s threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, this particular problem affects the process of installing these dependencies with tofu init, and so can potentially occur before an operator has had the opportunity to review what is being installed.
An attacker can exploit this either by controlling the content of a package served when OpenTofu is expecting to receive a archive using the .zip format, during either provider or module package installation.
However, the attacker must also coerce an OpenTofu operator into attempting dependency installation from a source that they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the tofu init process, which does not execute third-party dependency code itself.
Patches
OpenTofu v1.11.4 addresses these vulnerabilities by being built against Go 1.25.6, which contains an improved version of the upstream implementation.
Workarounds
These vulnerabilities can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running tofu init. Those who are unable to immediately upgrade can therefore minimize risk by reviewing new dependencies before adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu.
Successful exploitation requires that the attacker control a .zip archive that OpenTofu would fetch and extract during the provider or module installation processes. Note that OpenTofu modules can have their own dependencies on other providers and modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a provider or module package from a server that they control.
References
Impact
Unauthenticated denial of service.
Summary
When installing module packages from attacker-controlled sources, tofu init may cause high CPU usage when encountering maliciously-crafted .zip archives for either provider or module distribution packages.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete in a timely manner. Other processes running on the same computer as OpenTofu may also have their performance degraded due to the high CPU usage.
These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.
Details
OpenTofu relies on a third-party implementation of .zip archive extraction from the standard library of the Go programming language. The Go project has recently published a minor release (Go 1.25.6) to address a problem of potential excessive CPU usage when accessing files in a maliciously-crafted .zip archive.
OpenTofu’s threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, this particular problem affects the process of installing these dependencies with tofu init, and so can potentially occur before an operator has had the opportunity to review what is being installed.
An attacker can exploit this either by controlling the content of a package served when OpenTofu is expecting to receive a archive using the .zip format, during either provider or module package installation.
However, the attacker must also coerce an OpenTofu operator into attempting dependency installation from a source that they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the tofu init process, which does not execute third-party dependency code itself.
Patches
OpenTofu v1.11.4 addresses these vulnerabilities by being built against Go 1.25.6, which contains an improved version of the upstream implementation.
Workarounds
These vulnerabilities can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running tofu init. Those who are unable to immediately upgrade can therefore minimize risk by reviewing new dependencies before adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu.
Successful exploitation requires that the attacker control a .zip archive that OpenTofu would fetch and extract during the provider or module installation processes. Note that OpenTofu modules can have their own dependencies on other providers and modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a provider or module package from a server that they control.
References
- OpenTofu v1…11.4 release notes
- golang/go#77102
References
- GHSA-r92c-9c7f-3pj8
- golang/go#77102
- opentofu/opentofu#3689
- opentofu/opentofu@f5d5cdf
- https://github.com/opentofu/opentofu/releases/tag/v1.11.4