{"vulnerability": "GHSA-WCMJ-X466-56MM", "sightings": [{"uuid": "4c94cd1f-af1a-4ede-a35e-4004f4072b0c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-WCMJ-X466-56MM", "type": "seen", "source": "https://gist.github.com/alon710/930931f8715581f8f0d0a4111bb621a6", "content": "# GHSA-WCMJ-X466-56MM: GHSA-WCMJ-X466-56MM: Arbitrary File Write via UNIX Symbolic Link Following in OpenTofu\n\n> **CVSS Score:** 6.1\n> **Published:** 2026-06-23\n> **Full Report:** https://cvereports.com/reports/GHSA-WCMJ-X466-56MM\n\n## Summary\nA UNIX symbolic link following vulnerability exists in the provider cache installation mechanism of OpenTofu. This flaw allows an attacker with control over the repository files to write files outside of the intended workspace boundary during initialization.\n\n## TL;DR\nAn input validation flaw during provider extraction in OpenTofu allows pre-seeded symbolic links to redirect file writes to arbitrary paths on the host system, enabling arbitrary file write outside the workspace.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-61\n- **Attack Vector**: Network\n- **CVSS v3.1**: 6.1 (Medium)\n- **Impact**: Arbitrary File Write\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- OpenTofu\n- **github.com/opentofu/opentofu**: < 1.10.10 (Fixed in: `1.10.10`)\n- **github.com/opentofu/opentofu**: >= 1.11.0, < 1.11.7 (Fixed in: `1.11.7`)\n- **github.com/opentofu/opentofu**: >= 1.12.0-alpha1, < 1.12.0 (Fixed in: `1.12.0`)\n\n## Mitigation\n\n- Upgrade OpenTofu deployments to patched versions 1.10.10, 1.11.7, or 1.12.0\n- Enforce clean build steps in pipelines to delete local .terraform folders prior to execution\n- Implement non-root execution guidelines for CI/CD runners\n\n**Remediation Steps:**\n1. Audit all automation pipelines and check OpenTofu executable versions\n2. Upgrade OpenTofu to 1.10.10, 1.11.7, or 1.12.0 to introduce the Lstat checks\n3. Incorporate directory cleaning scripts ('rm -rf .terraform') in build setup files\n4. Configure operating system security controls to restrict file writes to the build workspace root\n\n## References\n\n- [GitHub Security Advisory Page](https://github.com/advisories/GHSA-WCMJ-X466-56MM)\n- [OpenTofu Advisory Details](https://github.com/opentofu/opentofu/security/advisories/GHSA-wcmj-x466-56mm)\n- [Primary Fix Pull Request](https://github.com/opentofu/opentofu/pull/4082)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-WCMJ-X466-56MM) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-24T03:42:03.000000Z"}]}