GHSA-PXH5-6RRC-8RJV: GHSA-PXH5-6RRC-8RJV: Client-Side Denial of Service in OpenTofu via Crafted HTTP/2 SETTINGS Frame

#security #cve #cybersecurity #ghsa

GHSA-PXH5-6RRC-8RJV: Client-Side Denial of Service in OpenTofu via Crafted HTTP/2 SETTINGS Frame

Vulnerability ID: GHSA-PXH5-6RRC-8RJV
CVSS Score: 3.1
Published: 2026-05-20

OpenTofu versions prior to 1.11.8 are susceptible to a client-side Denial of Service (DoS) vulnerability due to improper handling of HTTP/2 SETTINGS frames. When fetching dependencies from an attacker-controlled registry, the client can be forced into an infinite loop, resulting in uncontrolled CPU and memory exhaustion.

TL;DR

A flaw in the underlying Go HTTP/2 parser allows an attacker-controlled registry to trigger an infinite loop in the OpenTofu client by sending a zero-value SETTINGS_MAX_FRAME_SIZE parameter, resulting in local resource exhaustion.

⚠️ Exploit Status: POC

Technical Details

CWE ID: CWE-835
Attack Vector: Network
CVSS Score: 3.1
Impact: Denial of Service
Exploit Status: Proof-of-Concept
Target Component: Go net/http2 Parser

Affected Systems

OpenTofu Client
OpenTofu: < 1.11.8 (Fixed in: 1.11.8)

Mitigation Strategies

Upgrade OpenTofu to version 1.11.8 or later.
Implement network egress filtering to restrict registry access to trusted domains.
Mandate strict code review for external module sources in OpenTofu configurations.

Remediation Steps:

Identify all deployment environments (CI/CD runners, local workstations) utilizing OpenTofu.
Download the OpenTofu v1.11.8 release binary from the official repository.
Update base Docker images used in infrastructure pipelines to include the patched binary.
Verify the installed version by executing tofu version in the updated environments.

References

Read the full report for GHSA-PXH5-6RRC-8RJV on our website for more details including interactive diagrams and full exploit analysis.

DEV Community