Python Filelock Library Patches Critical TOCTOU Symlink Vulnerability in 3.20.3 Update

A critical security vulnerability has been patched in the widely-used Python `filelock` library, a core dependency for managing concurrent file access across thousands of open-source projects. The flaw, a Time-of-Check to Time-of-Use (TOCTOU) symlink vulnerability in the `SoftFileLock` class, could potentially allow an attacker to bypass file locks by manipulating symbolic links between the lock's check and its enforcement. This update, version 3.20.3, was released by maintainer Gábor Bernát to directly address the security hole, which was introduced in a recent change.

The vulnerability was fixed in pull request #465 on the `tox-dev/filelock` GitHub repository. The issue stemmed from a race condition where a malicious actor could replace a symlink after the lock mechanism checked its target but before the lock was actually acquired, leading to unauthorized access or data corruption. This type of bug is particularly insidious in multi-user or shared environments where file locking is essential for data integrity. The patch ensures proper handling of symbolic links to close this security gap.

The `filelock` library is a fundamental building block in the Python ecosystem, used by package managers, development tools, and data pipelines to prevent race conditions. This swift patch highlights the ongoing security maintenance required in foundational open-source software. Developers relying on `filelock` are urged to immediately upgrade to version 3.20.3 to mitigate the risk. The previous minor release, 3.20.2, also contained a separate fix for improved compatibility with Unix systems lacking the `O_NOFOLLOW` flag, underscoring the library's active development and the importance of staying current with dependencies.