CVE-2025-68146 – A Time-of-Check-Time-of-Use (TOCTOU) race condi... (How to Fix)

📋 TL;DR

A Time-of-Check-Time-of-Use (TOCTOU) race condition in filelock versions before 3.20.1 allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. All users of filelock on Unix, Linux, macOS, and Windows systems are impacted, and the vulnerability cascades to dependent libraries. Attackers need local filesystem access and ability to create symlinks.

💻 Affected Systems

Products:

filelock
any Python application or library using filelock

Versions: All versions prior to 3.20.1

Operating Systems: Unix, Linux, macOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Windows requires Developer Mode enabled for symlink creation. Vulnerability affects both UnixFileLock and WindowsFileLock classes.

📦 What is this software?

Filelock by Tox Dev

View all CVEs affecting Filelock →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical user files (configuration, databases, documents) are permanently corrupted or truncated, causing data loss, service disruption, or system instability.

🟠

Likely Case

Targeted corruption of specific user files the attacker wants to damage, potentially causing application failures or data loss.

🟢

If Mitigated

With restrictive directory permissions preventing symlink creation, impact is limited to authorized users only.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access, symlink creation permissions, and predictable lock file paths. Successful within 1-3 attempts when conditions are met.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.20.1

Vendor Advisory: https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f

Restart Required: No

Instructions:

1. Update filelock: pip install --upgrade filelock==3.20.1
2. Verify update: pip show filelock
3. Restart any applications using filelock

🔧 Temporary Workarounds

Use SoftFileLock instead

all

Replace UnixFileLock/WindowsFileLock with SoftFileLock (different locking semantics, may not be suitable for all use cases)

Modify code to import and use SoftFileLock instead of UnixFileLock/WindowsFileLock

Restrict lock directory permissions

linux

Set restrictive permissions on directories containing lock files to prevent untrusted users from creating symlinks

chmod 0700 /path/to/lock/directory

🧯 If You Can't Patch

Monitor lock file directories for suspicious symlinks before running trusted applications
Isolate applications using filelock to environments with trusted users only

🔍 How to Verify

Check if Vulnerable:

Check filelock version: pip show filelock | grep Version

Check Version:

pip show filelock | grep Version

Verify Fix Applied:

Confirm version is 3.20.1 or higher: pip show filelock | grep Version

📡 Detection & Monitoring

Log Indicators:

Unexpected file truncation or corruption events
Permission denied errors when creating lock files

Network Indicators:

None - this is a local filesystem attack

SIEM Query:

Search for file modification events in lock file directories, especially symlink creation followed by file truncation

📊 Metadata

CVE ID: CVE-2025-68146

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-59

EPSS Score: 0.01% exploit probability (0.3th percentile)

Published: December 16, 2025

Last Updated: March 5, 2026

🔗 References

https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e Patch
https://github.com/tox-dev/filelock/pull/461 Issue Tracking,Patch
https://github.com/tox-dev/filelock/releases/tag/3.20.1 Product,Release Notes
https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68146, you might also want to check these: