fix: resolve TOCTOU vulnerabilities in app_data and lock directory creation #3013
+9
−10
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…eation Use atomic os.makedirs(..., exist_ok=True) operations instead of check-then-act pattern to prevent symlink-based TOCTOU attacks. Reported by: tsigouris007 Signed-off-by: Bernát Gábor <[email protected]>
raghotham
added a commit
to llamastack/llama-stack
that referenced
this pull request
Jan 13, 2026
Vulnerability detected in virtualenv Affected versions: < [20.36.1] Fixed in version: [20.36.1] Severity: MODERATE Identifiers: GHSA-597g-3phw-6986 CVE-2026-22702 References: GHSA-597g-3phw-6986 https://nvd.nist.gov/vuln/detail/CVE-2026-22702 pypa/virtualenv#3013 pypa/virtualenv@dec4cec GHSA-597g-3phw-6986
This was referenced Jan 14, 2026
franciscojavierarceo
pushed a commit
to franciscojavierarceo/llama-stack
that referenced
this pull request
Jan 16, 2026
Vulnerability detected in virtualenv Affected versions: < [20.36.1] Fixed in version: [20.36.1] Severity: MODERATE Identifiers: GHSA-597g-3phw-6986 CVE-2026-22702 References: GHSA-597g-3phw-6986 https://nvd.nist.gov/vuln/detail/CVE-2026-22702 pypa/virtualenv#3013 pypa/virtualenv@dec4cec GHSA-597g-3phw-6986
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in directory creation have been fixed to prevent symlink-based attacks.
Two check-then-act patterns in the codebase could be exploited by an attacker with local access:
src/virtualenv/app_data/__init__.py:39-41checks if the app_data directory exists withos.path.isdir(), then creates it withos.makedirs(). An attacker could create a symlink at the target path between the check and creation, causing virtualenv to write cache files (wheels, Python metadata) to an attacker-controlled location.src/virtualenv/util/lock.py:19-22has the same pattern when creating parent directories for lock files. When combined with the first vulnerability, this could allow an attacker to control lock file semantics and bypass concurrent access protections, enabling cache poisoning, information disclosure, lock bypass, and denial of service attacks.The fix replaces both check-then-act patterns with atomic
os.makedirs(..., exist_ok=True)operations. This is atomic at the OS level and eliminates the TOCTOU window, preventing symlink following attacks while maintaining backward compatibility.Reported by: @tsigouris007