GHSA-PXH5-6RRC-8RJV OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server

Impact Unauthenticated denial of service. Summary When installing provider or module packages from attacker-controlled servers, the server may cause tofu initto enter an infinite loop sending garbage data to that server. Those who depend on modules or providers served from untrusted third-party...

GHSA-HW5X-4R37-72W7 OpenTofu has unbounded memory usage, high CPU usage, or deadlock in "tofu init" with maliciously-crafted dependency responses

Impact Unauthenticated denial of service. Summary When installing module packages from attacker-controlled sources, tofu init may use unbounded memory, cause high CPU usage, or deadlock when encountering maliciously-crafted TLS certificate chains or tar archives. Those who depend on modules or...

EUVD-2026-5351

Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been...

GO-2026-4352 OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format in github.com/opentofu/opentofu

OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format in github.com/opentofu/opentofu...

GHSA-R92C-9C7F-3PJ8 OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format

Impact Unauthenticated denial of service. Summary When installing module packages from attacker-controlled sources, tofu init may cause high CPU usage when encountering maliciously-crafted .zip archives for either provider or module distribution packages. Those who depend on modules or providers...

OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format

Impact Unauthenticated denial of service. Summary When installing module packages from attacker-controlled sources, tofu init may cause high CPU usage when encountering maliciously-crafted .zip archives for either provider or module distribution packages. Those who depend on modules or providers...

GO-2025-4101 OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses in github.com/opentofu/opentofu

OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses in github.com/opentofu/opentofu...

OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses

Impact Unauthenticated denial of service. Summary When installing module packages from attacker-controlled sources, tofu init may use unbounded memory, cause high CPU usage, or crash when encountering maliciously-crafted TLS certificate chains or tar archives. Those who depend on modules or...

GHSA-W2JF-268Q-MRVH OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses

Impact Unauthenticated denial of service. Summary When installing module packages from attacker-controlled sources, tofu init may use unbounded memory, cause high CPU usage, or crash when encountering maliciously-crafted TLS certificate chains or tar archives. Those who depend on modules or...

EUVD-2025-38039

OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses...

EUVD-2009-4372

Malware in sbrugna...

EUVD-2005-3008

Malware in sbrugna...

EUVD-2023-25133

Malicious code in bioql PyPI...

UCD: Unlearning in LLMs Via Contrastive Decoding

Machine unlearning aims to remove specific information, e.g. sensitive or undesirable content, from large language models LLMs while preserving overall performance. We propose an inference-time unlearning algorithm that uses contrastive decoding, leveraging two auxiliary smaller models, one train...

CVE-2023-20965

In processMessageImpl of ClientModeImpl.java, there is a possible credential disclosure in the TOFU flow due to a logic error in the code. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2024-47174

Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle MITM...

CVE-2024-47174 Credential leak when credentials are used with `<nix/fetchurl.nix>`

Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle MITM...

CVE-2024-47174

Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle MITM...

CVE-2024-47174 Credential leak when credentials are used with `<nix/fetchurl.nix>`

Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle MITM...

MAL-2024-3132 Malicious code in tofu-widgets (npm)

--- -= Per source details. Do not edit below this line.=-...