CVE-2026-22701
ADVISORY - githubSummary
Vulnerability Summary
Title: Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
Affected Component: filelock package - SoftFileLock class
File: src/filelock/_soft.py lines 17-27
CWE: CWE-362, CWE-367, CWE-59
Description
A TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly.
The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.
Attack Scenario
1. Lock attempts to acquire on /tmp/app.lock
2. Permission validation passes
3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock
4. os.open() tries to create lock file
5. Lock operates on attacker-controlled target file or fails
Impact
What kind of vulnerability is it? Who is impacted?
This is a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability affecting any application using SoftFileLock for inter-process synchronization.
Affected Users:
- Applications using
filelock.SoftFileLockdirectly - Applications using the fallback
FileLockon systems withoutfcntlsupport (e.g., GraalPy)
Consequences:
- Silent lock acquisition failure - applications may not detect that exclusive resource access is not guaranteed
- Denial of Service - attacker can prevent lock file creation by maintaining symlink
- Resource serialization failures - multiple processes may acquire "locks" simultaneously
- Unintended file operations - lock could operate on attacker-controlled files
CVSS v4.0 Score: 5.6 (Medium) Vector: CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
Attack Requirements:
- Local filesystem access to the directory containing lock files
- Permission to create symlinks (standard for regular unprivileged users on Unix/Linux)
- Ability to time the symlink creation during the narrow race window
Patches
Has the problem been patched? What versions should users upgrade to?
Yes, the vulnerability has been patched by adding the O_NOFOLLOW flag to prevent symlink following during lock file creation.
Patched Version: Next release (commit: 255ed068bc85d1ef406e50a135e1459170dd1bf0)
Mitigation Details:
- The
O_NOFOLLOWflag is added conditionally and gracefully degrades on platforms without support - On platforms with
O_NOFOLLOWsupport (most modern systems): symlink attacks are completely prevented - On platforms without
O_NOFOLLOW(e.g., GraalPy): TOCTOU window remains but is documented
Users should:
- Upgrade to the patched version when available
- For critical deployments, consider using
UnixFileLockorWindowsFileLockinstead of the fallbackSoftFileLock
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
For users unable to update immediately:
Avoid
SoftFileLockin security-sensitive contexts - useUnixFileLockorWindowsFileLockwhen available (these were already patched for CVE-2025-68146)Restrict filesystem permissions - prevent untrusted users from creating symlinks in lock file directories:
chmod 700 /path/to/lock/directoryUse process isolation - isolate untrusted code from lock file paths to prevent symlink creation
Monitor lock operations - implement application-level checks to verify lock acquisitions are successful before proceeding with critical operations
References
Are there any links users can visit to find out more?
- Similar Vulnerability: CVE-2025-68146 (TOCTOU vulnerability in UnixFileLock/WindowsFileLock)
- CWE-362 (Concurrent Execution using Shared Resource): https://cwe.mitre.org/data/definitions/362.html
- CWE-367 (Time-of-check Time-of-use Race Condition): https://cwe.mitre.org/data/definitions/367.html
- CWE-59 (Improper Link Resolution Before File Access): https://cwe.mitre.org/data/definitions/59.html
- O_NOFOLLOW documentation: https://man7.org/linux/man-pages/man2/open.2.html
- GitHub Repository: https://github.com/tox-dev/filelock
Reported by: George Tsigourakos (@tsigouris007)
GitHub
CVSS SCORE
5.3medium| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| filelock | pypi | - | - | <3.20.3 | 3.20.3 |
CVSS:3 Severity and metrics
The CVSS metrics represent different qualitative aspects of a vulnerability that impact the overall score, as defined by the CVSS Specification.
The vulnerable component is not bound to the network stack and the attacker's path is via read/write/execute capabilities. Either: The attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
A successful attack depends on conditions beyond the attacker's control, requiring investing a measurable amount of effort in research, preparation, or execution against the vulnerable component before a successful attack.
The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
The vulnerable system can be exploited without interaction from any user.
An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
There is no loss of confidentiality.
Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component.
NIST
CVSS SCORE
5.3mediumDebian
-
Ubuntu
-
CVSS SCORE
N/AmediumChainguard
CGA-g9xc-x5jw-3jjm
-
minimos
MINI-73gr-hxjp-p953
-
minimos
MINI-g5jw-ph6w-q47q
-
minimos
MINI-qf4j-9xjw-6574
-
minimos
MINI-rgqr-cqgm-77qc
-
minimos
MINI-v7m5-vjpp-cf32
-