Intel

AIKIDO-2026-228169

filelock is vulnerable to Race Condition (TOCTOU)

Race Condition (TOCTOU) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

53

Medium Risk

This Affects:

PYTHONfilelock
3.27.0 - 3.29.4
Fixed in 3.29.5
Are you affected? Scan for Free

TL;DR

SoftReadWriteLock coordinates readers and writers through on-disk marker files whose ownership is tracked by a per-holder token. On release and during the writer's reader-drain phase the writer marker is unlinked or refreshed by path without re-checking that token, so a holder paused past the stale threshold can have its slot reclaimed by a peer and then delete or keep alive that peer's live marker, admitting a second concurrent writer and breaking mutual exclusion. The heartbeat also refreshes markers by path after opening them, letting a local attacker swap a symlink in between the check and the os.utime touch so the timestamp update lands on an unintended target file. The fix re-verifies the marker token before unlinking or completing an acquire and refreshes markers through the already-verified file descriptor.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and use the soft read/write lock (SoftReadWriteLock or its async variant).

Background info

filelock is vulnerable to Race Condition (TOCTOU) in versions 3.27.0 - 3.29.4.

How to fix this

Upgrade the filelock library to the patch version.