filelock is vulnerable to Race Condition (TOCTOU)
53
Medium Risk
SoftReadWriteLock coordinates readers and writers through on-disk marker files whose ownership is tracked by a per-holder token. On release and during the writer's reader-drain phase the writer marker is unlinked or refreshed by path without re-checking that token, so a holder paused past the stale threshold can have its slot reclaimed by a peer and then delete or keep alive that peer's live marker, admitting a second concurrent writer and breaking mutual exclusion. The heartbeat also refreshes markers by path after opening them, letting a local attacker swap a symlink in between the check and the os.utime touch so the timestamp update lands on an unintended target file. The fix re-verifies the marker token before unlinking or completing an acquire and refreshes markers through the already-verified file descriptor.
You are affected if you are using a version that falls within the vulnerable range and use the soft read/write lock (SoftReadWriteLock or its async variant).
filelock is vulnerable to Race Condition (TOCTOU) in versions 3.27.0 - 3.29.4.
Upgrade the filelock library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant