Headline
GHSA-w2jf-268q-mrvh: OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
Impact
Unauthenticated denial of service.
Summary
When installing module packages from attacker-controlled sources, tofu init may use unbounded memory, cause high CPU usage, or crash when encountering maliciously-crafted TLS certificate chains or tar archives.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.
Details
OpenTofu relies on third-party implementations of TLS certificate verification and tar archive extraction from the standard library of the Go programming language.
The Go project has recently published the following advisories for those implementations which indirectly affect OpenTofu’s behavior:
- CVE-2025-58183: Unbounded allocation when parsing GNU sparse map in archive/tar
- CVE-2025-58185: Parsing DER payload can cause memory exhaustion in encoding/asn1
- CVE-2025-58187: Quadratic complexity when checking name constraints in crypto/x509
- CVE-2025-58188: Panic when validating certificates with DSA public keys in crypto/x509
OpenTofu’s threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, these particular problems affect the process of installing these dependencies with tofu init, and so can potentially occur before an operator has had the opportunity to review what is being installed. In particular, the TLS-related vulnerabilities can occur before OpenTofu actually retrieves a dependency package and performs checksum verification, because they affect the transport of the packages rather than the content of the packages.
An attacker can exploit this either by controlling the TLS certificate chain used to authenticate the connection to the server where the dependencies are hosted, or (in the case of module packages only) by controlling the content of a package served when OpenTofu is expecting to receive a package using the “tar” archive format with or without compression.
However, the attacker must also coerce an OpenTofu operator into attempting dependency installation from the server they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the tofu init process, which does not execute third-party dependency code itself.
Patches
OpenTofu v1.10.7 addresses these vulnerabilities by being built against Go 1.24.9, which contains improved versions of the upstream implementations.
The OpenTofu v1.9 and v1.8 series are also impacted by these vulnerabilities. However, those series are built with a version of Go for which no upstream fix is available. Adopting Go 1.24.9 for those series would effectively end support for certain versions of macOS and Linux, and the OpenTofu Project has determined that the impact of these vulnerabilities is not high enough to justify that disruption in a patch release. For those using the OpenTofu v1.9 or v1.8 releases we recommend planning to upgrade to OpenTofu v1.10.7 in the near future, and reviewing the Workarounds section below in the meantime.
Workarounds
These vulnerabilities can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running tofu init. Those who are unable to upgrade can therefore minimize risk by reviewing new dependencies before adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu.
Successful exploitation requires that the attacker control either an HTTPS server that tofu init would contact during dependency installation or a tar archive that OpenTofu would fetch and extract during the module installation process. Note that OpenTofu modules can have their own dependencies on other modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a module from a server they control.
Impact
Unauthenticated denial of service.
Summary
When installing module packages from attacker-controlled sources, tofu init may use unbounded memory, cause high CPU usage, or crash when encountering maliciously-crafted TLS certificate chains or tar archives.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.
Details
OpenTofu relies on third-party implementations of TLS certificate verification and tar archive extraction from the standard library of the Go programming language.
The Go project has recently published the following advisories for those implementations which indirectly affect OpenTofu’s behavior:
- CVE-2025-58183: Unbounded allocation when parsing GNU sparse map in archive/tar
- CVE-2025-58185: Parsing DER payload can cause memory exhaustion in encoding/asn1
- CVE-2025-58187: Quadratic complexity when checking name constraints in crypto/x509
- CVE-2025-58188: Panic when validating certificates with DSA public keys in crypto/x509
OpenTofu’s threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, these particular problems affect the process of installing these dependencies with tofu init, and so can potentially occur before an operator has had the opportunity to review what is being installed. In particular, the TLS-related vulnerabilities can occur before OpenTofu actually retrieves a dependency package and performs checksum verification, because they affect the transport of the packages rather than the content of the packages.
An attacker can exploit this either by controlling the TLS certificate chain used to authenticate the connection to the server where the dependencies are hosted, or (in the case of module packages only) by controlling the content of a package served when OpenTofu is expecting to receive a package using the “tar” archive format with or without compression.
However, the attacker must also coerce an OpenTofu operator into attempting dependency installation from the server they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the tofu init process, which does not execute third-party dependency code itself.
Patches
OpenTofu v1.10.7 addresses these vulnerabilities by being built against Go 1.24.9, which contains improved versions of the upstream implementations.
The OpenTofu v1.9 and v1.8 series are also impacted by these vulnerabilities. However, those series are built with a version of Go for which no upstream fix is available. Adopting Go 1.24.9 for those series would effectively end support for certain versions of macOS and Linux, and the OpenTofu Project has determined that the impact of these vulnerabilities is not high enough to justify that disruption in a patch release. For those using the OpenTofu v1.9 or v1.8 releases we recommend planning to upgrade to OpenTofu v1.10.7 in the near future, and reviewing the Workarounds section below in the meantime.
Workarounds
These vulnerabilities can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running tofu init. Those who are unable to upgrade can therefore minimize risk by reviewing new dependencies before adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu.
Successful exploitation requires that the attacker control either an HTTPS server that tofu init would contact during dependency installation or a tar archive that OpenTofu would fetch and extract during the module installation process. Note that OpenTofu modules can have their own dependencies on other modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a module from a server they control.
References
- GHSA-w2jf-268q-mrvh
- opentofu/opentofu#3458
- opentofu/opentofu#3462
- opentofu/opentofu#3464
- opentofu/opentofu#3465
- opentofu/opentofu#3467
- https://github.com/opentofu/opentofu/releases/tag/v1.10.7
- https://www.cve.org/CVERecord?id=CVE-2025-58183
- https://www.cve.org/CVERecord?id=CVE-2025-58185
- https://www.cve.org/CVERecord?id=CVE-2025-58187
- https://www.cve.org/CVERecord?id=CVE-2025-58188