CVE-2025-68146

Name of the Vulnerable Software and Affected Versions filelock versions prior to 3.20.1

Description filelock is a platform-independent file lock for Python. A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The issue exists in file lock creation where the software checks for file existence before opening it with O TRUNC. An attacker can create a symlink pointing to a victim file between the check and open, causing the system to follow the symlink and truncate the target file. This affects users on Unix, Linux, macOS, and Windows systems. The attack requires local filesystem access and the ability to create symlinks. Exploitation can succeed within 1-3 attempts when lock file paths are predictable.

Recommendations Upgrade to version 3.20.1. If immediate upgrade is not possible, use SoftFileLock instead of UnixFileLock/WindowsFileLock. Ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks. Monitor lock file directories for suspicious symlinks before running trusted applications.