GHSA-PXH5-6RRC-8RJV

GHSA-PXH5-6RRC-8RJV is a low-severity security vulnerability in github.com/opentofu/opentofu (go), affecting versions < 1.11.8. It is fixed in 1.11.8.

Summary

When installing provider or module packages from attacker-controlled servers, the server may cause tofu initto enter an infinite loop sending garbage data to that server.

Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to tofu init failing to complete successfully. Other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.

These vulnerabilities do not permit arbitrary code execution or allow disclosure of confidential information.

Details

OpenTofu relies a third-party implementations of HTTP2 from the standard library of the Go programming language.

The Go project has recently published the following advisory for that implementation, which indirectly affects OpenTofu's behavior:

  • CVE-2026-33814: Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

OpenTofu's threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, these particular problems affect the process of installing these dependencies with tofu init, and so can potentially occur before an operator has had the opportunity to review what is being installed. In particular, the described problem would occur before OpenTofu actually retrieves a dependency package and performs checksum verification, because it affect the transport of the packages rather than the content of the packages.

An attacker can exploit this by controlling the HTTP2 implementation of the server where the dependencies are hosted, causing it to send a crafted "SETTINGS" frame which sets the maximum frame size to zero.

However, the attacker must also coerce an OpenTofu operator into attempting dependency installation from the server they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the tofu init process, which does not execute third-party dependency code itself.

Workarounds

This vulnerability can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running tofu init. Those who are unable to upgrade can therefore minimize risk by reviewing new dependencies before adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu.

Successful exploitation requires that the attacker control an HTTP2 server that tofu init would contact during dependency installation. Note that OpenTofu modules can have their own dependencies on other providers and modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a module from a server they control.

References

Impact

Unauthenticated denial of service.

GHSA-PXH5-6RRC-8RJV has a CVSS score of 3.1 (Low). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.11.8); upgrading removes the vulnerable code path.

Affected versions

github.com/opentofu/opentofu (< 1.11.8)

Security releases

github.com/opentofu/opentofu → 1.11.8 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

OpenTofu v1.11.8 addresses this vulnerability by being built against Go 1.25.10, which contains an improved version of the upstream implementation.

The OpenTofu v1.10 and v1.9 series are also impacted by this vulnerability. However, those series are built with a version of Go for which no upstream fix is available. Adopting Go 1.25.10 for those series would effectively end support for certain versions of macOS, and the OpenTofu Project has determined that the impact of these vulnerabilities is not high enough to justify that disruption in a patch release. For those using the OpenTofu v1.10 or v1.9 releases we recommend planning to upgrade to OpenTofu v1.11.8 in the near future, and reviewing the Workarounds section below in the meantime.

Frequently Asked Questions

  1. What is GHSA-PXH5-6RRC-8RJV? GHSA-PXH5-6RRC-8RJV is a low-severity security vulnerability in github.com/opentofu/opentofu (go), affecting versions < 1.11.8. It is fixed in 1.11.8.
  2. How severe is GHSA-PXH5-6RRC-8RJV? GHSA-PXH5-6RRC-8RJV has a CVSS score of 3.1 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/opentofu/opentofu are affected by GHSA-PXH5-6RRC-8RJV? github.com/opentofu/opentofu (go) versions < 1.11.8 is affected.
  4. Is there a fix for GHSA-PXH5-6RRC-8RJV? Yes. GHSA-PXH5-6RRC-8RJV is fixed in 1.11.8. Upgrade to this version or later.
  5. Is GHSA-PXH5-6RRC-8RJV exploitable, and should I be worried? Whether GHSA-PXH5-6RRC-8RJV is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-PXH5-6RRC-8RJV is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-PXH5-6RRC-8RJV? Upgrade github.com/opentofu/opentofu to 1.11.8 or later.

Other vulnerabilities in github.com/opentofu/opentofu

Stop the waste.
Protect your environment with Kodem.