GHSA-hw5x-4r37-72w7: OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses
When installing module packages from attacker-controlled sources, tofu init may use unbounded memory, cause high CPU usage, or deadlock when encountering maliciously-crafted TLS certificate chains or tar archives.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.
References
- github.com/advisories/GHSA-hw5x-4r37-72w7
- github.com/opentofu/opentofu
- github.com/opentofu/opentofu/issues/4029
- github.com/opentofu/opentofu/issues/4030
- github.com/opentofu/opentofu/issues/4031
- github.com/opentofu/opentofu/issues/4032
- github.com/opentofu/opentofu/pull/3966
- github.com/opentofu/opentofu/releases/tag/v1.11.6
- github.com/opentofu/opentofu/security/advisories/GHSA-hw5x-4r37-72w7
Code Behaviors & Features
Detect and mitigate GHSA-hw5x-4r37-72w7 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →