Skip to content

chore(deps): update dependency filelock to v3.20.3 [security] - autoclosed #387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
renovate wants to merge 1 commit into from
Closed

chore(deps): update dependency filelock to v3.20.3 [security] - autoclosed #387

renovate wants to merge 1 commit into from
+3 −3

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 13, 2026

This PR contains the following updates:

Package Change Age Confidence
filelock 3.20.13.20.3 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-22701

Vulnerability Summary

Title: Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock

Affected Component: filelock package - SoftFileLock class
File: src/filelock/_soft.py lines 17-27
CWE: CWE-362, CWE-367, CWE-59

Description

A TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly.

The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.

Attack Scenario

1. Lock attempts to acquire on /tmp/app.lock
2. Permission validation passes
3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock
4. os.open() tries to create lock file
5. Lock operates on attacker-controlled target file or fails

Impact

What kind of vulnerability is it? Who is impacted?

This is a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability affecting any application using SoftFileLock for inter-process synchronization.

Affected Users:

  • Applications using filelock.SoftFileLock directly
  • Applications using the fallback FileLock on systems without fcntl support (e.g., GraalPy)

Consequences:

  • Silent lock acquisition failure - applications may not detect that exclusive resource access is not guaranteed
  • Denial of Service - attacker can prevent lock file creation by maintaining symlink
  • Resource serialization failures - multiple processes may acquire "locks" simultaneously
  • Unintended file operations - lock could operate on attacker-controlled files

CVSS v4.0 Score: 5.6 (Medium)
Vector: CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Attack Requirements:

  • Local filesystem access to the directory containing lock files
  • Permission to create symlinks (standard for regular unprivileged users on Unix/Linux)
  • Ability to time the symlink creation during the narrow race window

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the vulnerability has been patched by adding the O_NOFOLLOW flag to prevent symlink following during lock file creation.

Patched Version: Next release (commit: 255ed068bc85d1ef406e50a135e1459170dd1bf0)

Mitigation Details:

  • The O_NOFOLLOW flag is added conditionally and gracefully degrades on platforms without support
  • On platforms with O_NOFOLLOW support (most modern systems): symlink attacks are completely prevented
  • On platforms without O_NOFOLLOW (e.g., GraalPy): TOCTOU window remains but is documented

Users should:

  • Upgrade to the patched version when available
  • For critical deployments, consider using UnixFileLock or WindowsFileLock instead of the fallback SoftFileLock

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

For users unable to update immediately:

  1. Avoid SoftFileLock in security-sensitive contexts - use UnixFileLock or WindowsFileLock when available (these were already patched for CVE-2025-68146)

  2. Restrict filesystem permissions - prevent untrusted users from creating symlinks in lock file directories:

    chmod 700 /path/to/lock/directory

  3. Use process isolation - isolate untrusted code from lock file paths to prevent symlink creation

  4. Monitor lock operations - implement application-level checks to verify lock acquisitions are successful before proceeding with critical operations

References

Are there any links users can visit to find out more?

Reported by: George Tsigourakos (@​tsigouris007)

Release Notes

tox-dev/py-filelock (filelock)

v3.20.3

Compare Source

What's Changed

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

v3.20.2

Compare Source

What's Changed
New Contributors

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added bot Automated pull requests or issues dependencies Pull requests that update a dependency file labels Jan 13, 2026
@renovate renovate bot added renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min) dependencies Pull requests that update a dependency file bot Automated pull requests or issues labels Jan 13, 2026
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 13, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate bot changed the title chore(deps): update dependency filelock to v3.20.3 [security] chore(deps): update dependency filelock to v3.20.3 [security] - autoclosed Jan 14, 2026
@renovate renovate bot closed this Jan 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen Awaiting requested review from helmut-hoffer-von-ankershoffen helmut-hoffer-von-ankershoffen is a code owner

Assignees

No one assigned

Labels

bot Automated pull requests or issues dependencies Pull requests that update a dependency file renovate Pull requests from Renovate skip:codecov Skip Codecov reporting and check skip:test:long_running Skip long-running tests (≥5min)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant