{"id":"GO-2026-4352","summary":"OpenTofu has High CPU usage in \"tofu init\" with maliciously-crafted module packages in .zip format in github.com/opentofu/opentofu","details":"OpenTofu has High CPU usage in \"tofu init\" with maliciously-crafted module packages in .zip format in github.com/opentofu/opentofu","aliases":["GHSA-r92c-9c7f-3pj8"],"modified":"2026-02-04T16:28:59.815743Z","published":"2026-02-02T21:05:55Z","related":["CGA-jxfv-r8wh-rf6q"],"database_specific":{"review_status":"UNREVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4352"},"references":[{"type":"ADVISORY","url":"https://github.com/opentofu/opentofu/security/advisories/GHSA-r92c-9c7f-3pj8"},{"type":"FIX","url":"https://github.com/opentofu/opentofu/commit/f5d5cdf16615ea3c298e058b062951adb02805f3"},{"type":"FIX","url":"https://github.com/opentofu/opentofu/pull/3689"},{"type":"WEB","url":"https://github.com/opentofu/opentofu/releases/tag/v1.11.4"},{"type":"WEB","url":"https://go.dev/issue/77102"}],"affected":[{"package":{"name":"github.com/opentofu/opentofu","ecosystem":"Go","purl":"pkg:golang/github.com/opentofu/opentofu"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.11.4"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4352.json"}}],"schema_version":"1.7.3"}