Vulnerability Report
Package: filelock (transitive dependency)
Installed Version: 3.18.0
CVEs
| CVE / GHSA ID |
Description |
Severity |
Fixed In |
| GHSA-qmgc-5h2g-mvrw |
TOCTOU Symlink Vulnerability in SoftFileLock |
High |
3.20.3 |
| GHSA-w853-jp5j-5j7f |
TOCTOU race condition allowing symlink attacks |
High |
3.20.1 |
Details
filelock 3.18.0 contains two TOCTOU (Time-of-Check Time-of-Use) vulnerabilities related to symlink handling in SoftFileLock. These allow symlink attacks that could be exploited by local attackers.
Both vulnerabilities are fixed in filelock >= 3.20.3.
Impact
filelock is a transitive dependency, pulled in via dev dependencies (likely virtualenv or pre-commit). While the attack surface is limited to local development environments, the fix is straightforward.
Remediation
Constrain filelock >= 3.20.3 in dev dependencies or update parent packages that pull it in.
Found by osv-scanner
Vulnerability Report
Package:
filelock(transitive dependency)Installed Version: 3.18.0
CVEs
Details
filelock3.18.0 contains two TOCTOU (Time-of-Check Time-of-Use) vulnerabilities related to symlink handling inSoftFileLock. These allow symlink attacks that could be exploited by local attackers.Both vulnerabilities are fixed in
filelock >= 3.20.3.Impact
filelockis a transitive dependency, pulled in via dev dependencies (likelyvirtualenvorpre-commit). While the attack surface is limited to local development environments, the fix is straightforward.Remediation
Constrain
filelock >= 3.20.3in dev dependencies or update parent packages that pull it in.Found by osv-scanner