AIKIDO-2026-351295
filelock is vulnerable to Uncontrolled Resource Consumption
25
Low Risk
This Affects:
filelockTL;DR
filelock reads a SoftFileLock lock file in its stale-lock detection and PID inspection paths using a symlink-following, unbounded text read. When a lock becomes stale, a local attacker with write access to the lock directory can replace the lock file with a symlink, a FIFO, or an oversized file. A peer process that then reads the lock follows the symlink to an unintended target, blocks indefinitely on the FIFO, or exhausts memory reading the large file, causing denial of service. The fix opens the lock file with O_NOFOLLOW and O_NONBLOCK and caps the read size so hostile replacements are rejected instead of followed.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your application uses SoftFileLock with a lock directory writable by other local users.
Background info
filelock is vulnerable to Uncontrolled Resource Consumption in versions 3.22.0 - 3.29.0.
How to fix this
Upgrade the filelock library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant