Listen to this Post
This vulnerability (GHSA-wcmj-x466-56mm) affects OpenTofu’s provider installation mechanism. OpenTofu permits provider cache entries to be symlinks to other locations, which is how the local cache refers to matching entries in a global cache directory. The provider installer lacked a rule to remove an existing symlink during installation if it pointed to a directory that did not match the expected provider package content. Instead, it would follow the symlink and attempt to update the content of the target directory to match the provider package.
An attacker who can coerce an operator into running `tofu init` in a directory they control can place a malicious symlink under `.terraform/providers` where a provider package needs to be installed. Along with this symlink, the attacker provides instructions to install a provider package they control. OpenTofu then follows the symlink and writes the contents of that provider package into the arbitrary directory pointed to by the symlink, provided the process has sufficient permissions.
If the `TF_DATA_DIR` environment variable is set, the directory specified there replaces `.terraform` and becomes the sensitive location. In fixed versions, OpenTofu now treats it as an error if an existing cache entry’s content does not match the expected package content. If the content already matches, OpenTofu makes no changes and uses it as-is. The fix was implemented in pull request 4082 and backported to earlier release series. OpenTofu thanks Francesco Sabiu (@fsabiu) for discovering and responsibly disclosing this issue.
DailyCVE Form:
Platform: OpenTofu
Version: <1.10.10, 1.11.0-1.11.6
Vulnerability: Symlink Path Traversal
Severity: Medium (CVSS 3.0)
date: 2026-06-23
Prediction: Patch expected 2026-06-23 (already released)
What Undercode Say
Analytics & Detection Commands
To check if your OpenTofu version is vulnerable:
tofu version If version is before 1.10.10 or between 1.11.0 and 1.11.6, it is vulnerable.
To scan for malicious symlinks in the current directory before running tofu init:
find . -type l -ls | grep -E '../|/' This lists symlinks that point outside the current directory.
To verify the integrity of the `.terraform/providers` cache:
Check for unexpected symlinks in the provider cache find .terraform/providers -type l -ls
Code Snippet – Vulnerable Behavior (Pre‑Fix)
// Simplified representation of the vulnerable installer logic
if _, err := os.Stat(cachePath); err == nil {
// If a symlink exists, follow it and overwrite the target
os.RemoveAll(targetPath) // Dangerous: follows symlink
extractPackage(pkg, targetPath)
}
Fixed Behavior (Post‑Fix)
// Fixed logic: verify content match before proceeding
if existing, _ := os.Stat(cachePath); existing != nil {
if !contentMatches(cachePath, expectedPkg) {
return fmt.Errorf("existing cache entry does not match expected package")
}
// Use existing entry as-is
}
Exploit
An attacker can craft a malicious repository containing:
- A `.terraform/providers/registry.terraform.io/hashicorp/random/4.0.0/linux_amd64` symlink pointing to `/etc/passwd` (or any other sensitive directory).
- A `main.tf` file that declares the `hashicorp/random` provider.
When the victim runs `tofu init` in this repository, OpenTofu follows the symlink and overwrites `/etc/passwd` with the contents of the attacker‑controlled provider package, leading to arbitrary file write and potential privilege escalation.
Protection
- Upgrade to OpenTofu v1.10.10 or v1.11.7 or later.
- If unable to upgrade immediately, ensure that no `.terraform` directory exists before running `tofu init` for the first time in a new working directory.
- As an extra defense, verify that there are no symlinks under the current working directory that point to any path above it.
- Always run `tofu init` only in directories whose contents you trust.
Impact
- Arbitrary File Write: An attacker can write arbitrary files to any directory where the OpenTofu process has write permissions.
- Potential Privilege Escalation: Overwriting sensitive system files (e.g.,
/etc/passwd,/etc/sudoers) can lead to full system compromise. - Integrity Violation: The attack bypasses the intended provider cache isolation, allowing untrusted code to be placed in unexpected locations.
- Limited Scope: The attack requires the victim to run `tofu init` in an attacker‑controlled directory, which is a plausible social‑engineering vector.
- Partial Mitigation: Even after the fix, a less severe variant remains where an attacker can place a symlink at a higher cache level, allowing arbitrary content to be written two levels beneath the target directory.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
