Main Vulnerability Database Vulnerabilities #VU121187

#VU121187 Time-of-check Time-of-use (TOCTOU) Race Condition in filelock - CVE-2025-68146

Published: January 13, 2026

Vulnerability identifier: #VU121187

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-68146

CWE-ID: CWE-367

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
filelock

Software vendor:
benediktschmitt (Benedikt Schmitt)

Description

The vulnerability allows a local user to truncate arbitrary files.

The vulnerability exists due to a race condition when truncating files. A local user can create a symbolic link to a critical file on the system in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file.

Remediation

Install updates from vendor's website.

External links

https://github.com/tox-dev/filelock/commit/4724d7f8c3393ec1f048c93933e6e3e6ec321f0e
https://github.com/tox-dev/filelock/pull/461
https://github.com/tox-dev/filelock/releases/tag/3.20.1
https://github.com/tox-dev/filelock/security/advisories/GHSA-w853-jp5j-5j7f

#VU121187 Time-of-check Time-of-use (TOCTOU) Race Condition in filelock - CVE-2025-68146

Description

Remediation

External links

Please verify you're human