Description
filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3.
Published: 2026-01-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unintended lock target or denial of service
Action: Apply patch
AI Analysis

Impact

The filelock package contains a time‑of‑check/time‑of‑use race condition in its SoftFileLock implementation. During a window between permission validation and the creation of the lock file, an attacker with local file system access can replace the intended lock file path with a symbolic link. This can cause the lock to operate on an unintended target file or result in a failure of the lock operation, potentially leading to denial of service or inconsistent locking behavior for applications that rely on filelock.

Affected Systems

Projects that incorporate the tox‑dev filelock Python library with a version older than 3.20.3 are affected. The vulnerability manifests in the _acquire() method of SoftFileLock, so any code that performs lock acquisition via filelock before the 3.20.3 release is potentially exposed.

Risk and Exploitability

The CVSS base score is 5.3 indicating moderate severity. The EPSS score is reported as < 1 %, showing a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires local filesystem access and the ability to create symlinks, so it is generally limited to users with sufficient local privileges. If successfully exploited, an attacker could force the lock to reference a different file or trigger denial of service, disrupting application workflow.

Generated by OpenCVE AI on April 18, 2026 at 07:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade filelock to version 3.20.3 or newer
  • Restrict the lock‑file directory from symlink creation by adjusting file‑system permissions or applying ACLs
  • Validate that the lock file is not a symlink before or after acquisition, or wrap filelock calls with a custom safety check

Generated by OpenCVE AI on April 18, 2026 at 07:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qmgc-5h2g-mvrw filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
History

Thu, 05 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tox-dev:filelock:*:*:*:*:*:python:*:*

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Tox-dev
Tox-dev filelock
Vendors & Products Tox-dev
Tox-dev filelock

Sat, 10 Jan 2026 06:15:00 +0000

Type Values Removed Values Added
Description filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue has been patched in version 3.20.3.
Title filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
Weaknesses CWE-362
CWE-367
CWE-59
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Tox-dev Filelock
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T16:45:50.638Z

Reserved: 2026-01-08T19:23:09.856Z

Link: CVE-2026-22701

cve-icon Vulnrichment

Updated: 2026-01-12T16:45:47.955Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T06:15:52.673

Modified: 2026-03-05T13:50:02.570

Link: CVE-2026-22701

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-10T05:59:28Z

Links: CVE-2026-22701 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses