GHSA-w2jf-268q-mrvh: OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
When installing module packages from attacker-controlled sources, tofu init may use unbounded memory, cause high CPU usage, or crash when encountering maliciously-crafted TLS certificate chains or tar archives.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.
References
- github.com/advisories/GHSA-w2jf-268q-mrvh
- github.com/opentofu/opentofu
- github.com/opentofu/opentofu/issues/3458
- github.com/opentofu/opentofu/issues/3462
- github.com/opentofu/opentofu/issues/3464
- github.com/opentofu/opentofu/issues/3465
- github.com/opentofu/opentofu/pull/3467
- github.com/opentofu/opentofu/releases/tag/v1.10.7
- github.com/opentofu/opentofu/security/advisories/GHSA-w2jf-268q-mrvh
- www.cve.org/CVERecord?id=CVE-2025-58183
- www.cve.org/CVERecord?id=CVE-2025-58185
- www.cve.org/CVERecord?id=CVE-2025-58187
- www.cve.org/CVERecord?id=CVE-2025-58188
Code Behaviors & Features
Detect and mitigate GHSA-w2jf-268q-mrvh with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →