CGA-2457-xrvc-7rxh

The OpenTofu v1.9, v1.8, and v1.7 series are also impacted by these vulnerabilities, however, those series are built with a version of Go for which no upstream fix is available. Adopting Go 1.24.9 for those series would effectively end support for certain versions of macOS and Linux, and the OpenTofu Project has determined that the impact of these vulnerabilities is not high enough to justify that disruption in a patch release. OpenTofu v1.10.7 addresses these vulnerabilities by being built against Go 1.24.9, which contains improved versions of the upstream implementations. For those using the OpenTofu v1.9, v1.8, or v1.7 releases we recommend planning to upgrade to OpenTofu v1.10.7 in the near future, and reviewing the Workarounds section below in the meantime.