opentofu

v1.11.8 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 20d Infrastructure as Code

✓ No known CVEs patched

This release patches 1 known CVE

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 13d

Version v1.11.8 of opentofu fixes excessive resource consumption in HTTP2 when the max frame size is set to zero.

Why it matters: Patch to v1.11.8 immediately if using HTTP2 with a zero max frame size to prevent excessive time and data usage.

AI summary

Fixed excessive time and extraneous data sent to HTTP2 servers with max frame size zero.

Type	Severity	Summary	CVE
Security	Medium	Fixes HTTP2 excessive resource consumption with frame size zero Fixes HTTP2 excessive resource consumption with frame size zero Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

Previous releases in the v1.11 series could potentially take an excessive amount of time and send extraneous data to an HTTP2 server that specifies a maximum frame size of zero. This is now fixed. (#4094)

An attacker that can coerce an operator to install a dependency from an attacker-controlled server could use this to cause unexpected resource consumption during tofu init.

Full Changelog: https://github.com/opentofu/opentofu/compare/v1.11.7...v1.11.8

Prevent excessive time and extraneous data transmission to HTTP2 servers that specify a maximum frame size of zero (addresses potential resource exhaustion during `tofu init`).

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track opentofu

Get notified when new releases ship.

About opentofu

OpenTofu lets you declaratively manage your cloud infrastructure.

v1.12.0 Removal of OPENTOFU_USER_AGENT environment variable affects custom User-Agent header behavior.