filelock Python Library Exposes Critical TOCTOU Race Condition (CVE-2025-68146)

A critical security vulnerability has been disclosed in the widely-used Python `filelock` library, exposing systems to potential file corruption and data loss. The flaw, tracked as CVE-2025-68146, is a Time-of-Check-Time-of-Use (TOCTOU) race condition that allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability is not platform-specific, existing in both Unix and Windows lock file creation processes where the library checks for a file's existence before opening it with the O_TRUNC flag.

The vulnerability stems from the library's core mechanism for creating lock files. The advisory from the maintainers, tox-dev, details that the flaw allows an attacker to exploit the brief window between the existence check and the file opening operation. By creating a symbolic link (symlink) at the precise moment, the attacker can redirect the library's O_TRUNC operation to a target file of their choice, leading to its corruption or truncation. This poses a significant risk to any application relying on `filelock` for safe concurrent file access, as the integrity of the locked files cannot be guaranteed.

The disclosure has triggered immediate patching efforts, with a dependency update to version 3.20.3 being the recommended mitigation. The presence of this flaw in a fundamental utility library underscores the pervasive risk in software supply chains. Developers and security teams are under pressure to audit and update their dependencies, as this vulnerability could be leveraged to compromise data integrity in a wide range of Python applications, from web services to data processing pipelines. The OpenSSF scorecard badge linked in the advisory provides a starting point for assessing the project's security posture.