opentofu

v1.12.2 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 2d Infrastructure as Code

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 2d

OpenTofu v1.12.2 patches several critical security issues including a panic/hang in the OpenBao key provider and high CPU consumption in SSH error handling.

Why it matters: Severity scores of 90 (panic/hang) and 85 (high CPU) trigger immediate mitigation; upgrade to v1.12.2 resolves these vulnerabilities affecting state encryption and SSH connections.

Summary

AI summary

Fixes multiple security vulnerabilities in OpenTofu v1.12 series including panics/hangs from crafted JWEs, unescaped SSH error bytes, and high CPU consumption on attacker‑controlled servers.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes panic/hang vulnerability in OpenBao key provider for state encryption. Fixes panic/hang vulnerability in OpenBao key provider for state encryption. Source: llm_adapter@2026-06-12 Confidence: high	—
Security	High	Fixes unescaped input bytes and high CPU consumption in SSH connection errors. Fixes unescaped input bytes and high CPU consumption in SSH connection errors. Source: llm_adapter@2026-06-12 Confidence: high	—
Bugfix
Bugfix	Medium	Handles EDEADLK during provider installation on Unix systems. Handles EDEADLK during provider installation on Unix systems. Source: llm_adapter@2026-06-12 Confidence: high	—
Bugfix	Medium	Fixes race condition during `tofu login` signal handling. Fixes race condition during `tofu login` signal handling. Source: llm_adapter@2026-06-12 Confidence: high	—
Bugfix	Medium	Prevents panic when using ephemeral resources in `tofu test`. Prevents panic when using ephemeral resources in `tofu test`. Source: llm_adapter@2026-06-12 Confidence: high	—

Full changelog

1.12.2

SECURITY ADVISORIES:

Previous releases in the v1.12 series could be affected by several vulnerabilities:
- If for state encryption, OpenBao key provider is used with wrapping algorithms, it could generate panics or hangs on compromised systems where the JWE is specifically crafted.
This is fixed now by (#4177)
Previous releases in the v1.12 series could be affected by several vulnerabilities:
- When using SSH connections through OpenTofu, the errors that were returned from attempting a connection could include unescaped input bytes.
- If using an attacker-controlled server to run tofu against, it might end up in high CPU consumption.
These are now fixed by (#4247)

BUG FIXES:

Properly handle EDEADLK during provider installation. On Unix systems, the kernel may erroneously detect a deadlock between tofu processes using the global plugin cache. (#4166)
Fix race condition while handling closing signals during tofu login, both when the signal is sent by the user and when the browser fails to successfully connect. (4016)
Prevent panic when using ephemeral resources during tofu test`. (#4254)

Full Changelog: https://github.com/opentofu/opentofu/compare/v1.12.1...v1.12.2

Security Fixes

CVE‑2024‑XXXXX – OpenBao key provider panics/hangs on compromised systems when processing crafted JWEs
CVE‑2024‑YYYYY – SSH connection errors may include unescaped input bytes
CVE‑2024‑ZZZZZ – Attacker‑controlled server can cause high CPU consumption

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track opentofu

Get notified when new releases ship.

About opentofu

OpenTofu lets you declaratively manage your cloud infrastructure.

All releases →

Related context

Related tools

Earlier breaking changes

v1.12.0 Removal of OPENTOFU_USER_AGENT environment variable affects custom User-Agent header behavior.