—
GO-2026-5441
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses in github.com/opentofu/opentofu
Details
OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses in github.com/opentofu/opentofu
Are you affected?
Enter the version of the package you're using.
Affected packages
Go / github.com/opentofu/opentofu
Introduced in:
0 Fixed in: 1.11.6 Fix
go get github.com/opentofu/opentofu@v1.11.6 References
- https://github.com/opentofu/opentofu/security/advisories/GHSA-hw5x-4r37-72w7 [ADVISORY]
- https://github.com/opentofu/opentofu/pull/3966 [FIX]
- https://github.com/opentofu/opentofu/issues/4029 [REPORT]
- https://github.com/opentofu/opentofu/issues/4030 [REPORT]
- https://github.com/opentofu/opentofu/issues/4031 [REPORT]
- https://github.com/opentofu/opentofu/issues/4032 [REPORT]
- https://github.com/opentofu/opentofu/releases/tag/v1.11.6 [WEB]