CVE-2026-22701: filelock Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
Title: Time-of-Check-Time-of-Use (TOCTOU) Symlink Vulnerability in SoftFileLock
Affected Component: filelock package - SoftFileLock class
File: src/filelock/_soft.py lines 17-27
CWE: CWE-362, CWE-367, CWE-59
References
- github.com/advisories/GHSA-qmgc-5h2g-mvrw
- github.com/tox-dev/filelock
- github.com/tox-dev/filelock/commit/255ed068bc85d1ef406e50a135e1459170dd1bf0
- github.com/tox-dev/filelock/commit/41b42dd2c72aecf7da83dbda5903b8087dddc4d5
- github.com/tox-dev/filelock/security/advisories/GHSA-qmgc-5h2g-mvrw
- nvd.nist.gov/vuln/detail/CVE-2026-22701
Code Behaviors & Features
Detect and mitigate CVE-2026-22701 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →