GHSA-WCMJ-X466-56MM is a medium-severity security vulnerability in github.com/opentofu/opentofu (go), affecting versions >= 1.11.0, < 1.11.7. It is fixed in 1.11.7, 1.10.10.
Summary If a symlink already exists under the .terraform/providers directory where a provider package needs to be installed, tofu init would follow that symlink and install the new package content into it. If an attacker can coerce an operator into running tofu init in a directory whose contents are attacker-controlled, they can include such a symlink along with instruction to install an attacker-controlled provider package at the path of that symlink, which would then cause OpenTofu to write the contents of that provider package into an arbitrary directory elsewhere in the filesystem if the OpenTofu process has sufficient permission to write there. Details OpenTofu permits provider cache entries to be symlinks to other locations because that is how the local cache in a specific working directory refers to matching entries in a global cache directory configured in the CLI configuration file. Unfortunately, OpenTofu's provider installer was missing a rule to remove an existing symlink during installation if it refers to a directory that doesn't already match the expected provider package content. Instead, it would attempt to update the content of the target directory to match the content of the provider package. If developers use OpenTofu with the TFDATADIR environment variable set, note that the directory they specify in that environment variable is treated as a replacement location for the content that would normally be in the .terraform directory, and so it is that location which is sensitive to pre-existing symlinks. In the newly-issued versions of OpenTofu, it is now considered an error if any existing directory entry is present in the cache whose content does not already match the expected package content. As before, if an existing entry is present and its content already matches the expected package content then OpenTofu makes no changes to the target directory and just uses it as-is. Workaround If developers cannot upgrade to a fixed version immediately, OpenTofu recommends that they ensure that there is no .terraform directory already present when running tofu init for the first time in a new working directory. The absence of that directory guarantees that there cannot be a conflicting symlink. For an extra line of defense, verify before running tofu init that there are no symlinks anywhere under the current working directory that refer to any path above the current working directory. This limits the scope of attack only to other files in the same working directory, which the attacker already controls in this scenario. Notes and Resources OpenTofu thanks Francesco Sabiu (@fsabiu) for finding and responsibly disclosing this vulnerability. Generally-speaking, the OpenTofu project expects that operators will run tofu init only in directories containing content they trust. OpenTofu prioritized addressing this specific concern because a successful attack can write arbitrary files into an arbitrary directory and therefore the potential impact is relatively high and the solution to the problem is low-risk, but this is a pragmatic exception to the usual threat model and there aren't any plans for broader hardening of OpenTofu against attacks of this type. OpenTofu recommends that developers ensure that their working directory contents are as they expect before running tofu init. In particular: it remains possible for an attacker to place a symlink at some higher point in the directory structure of the provider cache, into which OpenTofu will construct subdirectories needed to create the remaining provider cache directory structure. OpenTofu evaluated that as a less severe concern because it does not give the attacker full control over what is written into the target directory, but note that this does still allow an attacker to write arbitrary content into a directory two levels beneath the target when placing the symlink at the hostname level of the cache directory structure. The original fix for this issue is in https://github.com/opentofu/opentofu/pull/4082. It was backported as follows: v1.12 branch for v1.12.0 v1.11 branch for v1.11.7 v1.10 branch for v1.10.10
GHSA-WCMJ-X466-56MM has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.11.7, 1.10.10). Upgrading removes the vulnerable code path.
go
github.com/opentofu/opentofu (>= 1.11.0, < 1.11.7)github.com/opentofu/opentofu (< 1.10.10)github.com/opentofu/opentofu → 1.11.7 (go)github.com/opentofu/opentofu → 1.10.10 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether GHSA-WCMJ-X466-56MM is reachable in your applications. Explore open-source security for your team.
See if GHSA-WCMJ-X466-56MM is reachable in your applications. Get a demo
Already deployed Kodem? See GHSA-WCMJ-X466-56MM in your environment →Upgrade the following packages to resolve this vulnerability:
github.com/opentofu/opentofu to 1.11.7 or latergithub.com/opentofu/opentofu to 1.10.10 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
GHSA-WCMJ-X466-56MM is a medium-severity security vulnerability in github.com/opentofu/opentofu (go), affecting versions >= 1.11.0, < 1.11.7. It is fixed in 1.11.7, 1.10.10.
GHSA-WCMJ-X466-56MM has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/opentofu/opentofu (go) versions >= 1.11.0, < 1.11.7 is affected.
Yes. GHSA-WCMJ-X466-56MM is fixed in 1.11.7, 1.10.10. Upgrade to this version or later.
Whether GHSA-WCMJ-X466-56MM is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
github.com/opentofu/opentofu to 1.11.7 or latergithub.com/opentofu/opentofu to 1.10.10 or later