Python filelock v3.20.3 Patches Critical TOCTOU Race Condition (CVE-2025-68146)

A critical security vulnerability in the widely-used Python `filelock` library has been patched, exposing systems to potential file corruption and symlink attacks. The flaw, tracked as CVE-2025-68146 and GHSA-w853-jp5j-5j7f, is a Time-of-Check-Time-of-Use (TOCTOU) race condition that allows local attackers to corrupt or truncate arbitrary user files. This vulnerability is not platform-specific, affecting both Unix and Windows systems where the library is deployed.

The issue resides in the `py-filelock` package maintained by tox-dev. The security advisory details that the race condition occurs during lock file creation, creating a window where an attacker can exploit symbolic links to target sensitive files. The dependency update from version 3.20.0 to 3.20.3, managed via RenovateBot, is a direct response to this security threat. The update carries high merge confidence, indicating a low risk of introducing breaking changes while addressing the critical flaw.

This patch is a mandatory update for any project relying on `filelock` for process synchronization. The vulnerability's local attack vector means it poses a significant risk in multi-user environments or shared systems where privilege escalation is a concern. Developers and system administrators must prioritize this update to close the security gap and prevent potential data integrity attacks facilitated by the symlink exploit.