[GHSA-qmgc-5h2g-mvrw] filelock@3.18.0: TOCTOU symlink vulnerabilities #379
Description
Vulnerability Report
Package: filelock (transitive dependency)
Installed Version: 3.18.0
CVEs
| CVE / GHSA ID | Description | Severity | Fixed In |
|---|---|---|---|
| GHSA-qmgc-5h2g-mvrw | TOCTOU Symlink Vulnerability in SoftFileLock | High | 3.20.3 |
| GHSA-w853-jp5j-5j7f | TOCTOU race condition allowing symlink attacks | High | 3.20.1 |
Details
filelock 3.18.0 contains two TOCTOU (Time-of-Check Time-of-Use) vulnerabilities related to symlink handling in SoftFileLock. These allow symlink attacks that could be exploited by local attackers.
Both vulnerabilities are fixed in filelock >= 3.20.3.
Impact
filelock is a transitive dependency, pulled in via dev dependencies (likely virtualenv or pre-commit). While the attack surface is limited to local development environments, the fix is straightforward.
Remediation
Constrain filelock >= 3.20.3 in dev dependencies or update parent packages that pull it in.
Found by osv-scanner