AIKIDO-2026-867998
filelock is vulnerable to Race Condition (TOCTOU)
53
Medium Risk
This Affects:
filelockTL;DR
When SoftFileLock or SoftReadWriteLock uses a writable shared lock directory, stale-lock breaking followed symlinks or stale mtimes and could delete a live lock or leave two holders active. A same-UID peer could also place a FIFO at a predictable read/write marker path to block lock operations indefinitely, and is_lock_held_by_us could treat another host's same-PID lock as owned locally. Attacker-controlled lock-file PIDs outside the valid range could prevent stale-lock recovery or abort acquisition with an uncaught error. The fix uses lstat, atomic rename-and-recheck breaking, non-blocking marker opens, hostname-aware holder checks, and strict PID range validation during self-heal.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and use SoftFileLock or SoftReadWriteLock on a lock directory that untrusted local peers or other hosts can write to.
Background info
filelock is vulnerable to Race Condition (TOCTOU) in versions 3.22.0 - 3.29.1.
How to fix this
Upgrade the filelock library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant