Tofu Init, CPU Quit: The Algorithmic Zip Bomb in OpenTofu
Jan 22, 2026·6 min read·2 visits
Executive Summary (TL;DR)
If you use OpenTofu to manage infrastructure, a malicious module source can freeze your deployment pipeline. By feeding `tofu init` a specially crafted ZIP file, an attacker can trigger an O(N^2) file indexing loop in the Go runtime, pegging the CPU at 100% and halting CI/CD jobs indefinitely. Fixed in OpenTofu v1.11.4 by updating the Go toolchain.
OpenTofu versions prior to v1.11.4 are vulnerable to a Denial of Service (DoS) attack triggered by processing maliciously crafted ZIP archives. The flaw originates in the underlying Go standard library's `archive/zip` package, allowing attackers to stall `tofu init` operations via algorithmic complexity exhaustion.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
OpenTofu OpenTofu | < 1.11.4 | 1.11.4 |
| Attribute | Detail |
|---|---|
| Vulnerability ID | GHSA-R92C-9C7F-3PJ8 |
| Underlying CVE | CVE-2025-61728 (Go) |
| Attack Vector | Network (Malicious Dependency) |
| Impact | Denial of Service (Resource Exhaustion) |
| Severity | High (Availability) |
| Root Cause | O(N^2) Complexity in archive/zip |
MITRE ATT&CK Mapping
The software uses an algorithm with cubic or higher complexity O(n^3) to process input, which can be triggered by an attacker to cause a denial of service.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.