GHSA-r92c-9c7f-3pj8: OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format
(updated )
When installing module packages from attacker-controlled sources, tofu init may cause high CPU usage when encountering maliciously-crafted .zip archives for either provider or module distribution packages.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete in a timely manner. Other processes running on the same computer as OpenTofu may also have their performance degraded due to the high CPU usage.
These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.
References
- github.com/advisories/GHSA-r92c-9c7f-3pj8
- github.com/golang/go/issues/77102
- github.com/opentofu/opentofu
- github.com/opentofu/opentofu/commit/f5d5cdf16615ea3c298e058b062951adb02805f3
- github.com/opentofu/opentofu/pull/3689
- github.com/opentofu/opentofu/releases/tag/v1.11.4
- github.com/opentofu/opentofu/security/advisories/GHSA-r92c-9c7f-3pj8
Code Behaviors & Features
Detect and mitigate GHSA-r92c-9c7f-3pj8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →