virtualenv Has TOCTOU Vulnerabilities in Directory Creation
Description
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
virtualenvPyPI | < 20.36.1 | 20.36.1 |
Affected products
1- Range: 20.0.0b1, 20.0.0b2, 20.0.32, …
Patches
1dec4cec5d16eMerge pull request #3013 from gaborbernat/fix-sec
3 files changed · +9 −10
docs/changelog/3013.bugfix.rst+1 −0 added@@ -0,0 +1 @@ +Fix TOCTOU vulnerabilities in app_data and lock directory creation that could be exploited via symlink attacks - reported by :user:`tsigouris007`, fixed by :user:`gaborbernat`.
src/virtualenv/app_data/__init__.py+5 −6 modified@@ -36,12 +36,11 @@ def make_app_data(folder, **kwargs): if is_read_only: return ReadOnlyAppData(folder) - if not os.path.isdir(folder): - try: - os.makedirs(folder) - LOGGER.debug("created app data folder %s", folder) - except OSError as exception: - LOGGER.info("could not create app data folder %s due to %r", folder, exception) + try: + os.makedirs(folder, exist_ok=True) + LOGGER.debug("created app data folder %s", folder) + except OSError as exception: + LOGGER.info("could not create app data folder %s due to %r", folder, exception) if os.access(folder, os.W_OK): return AppDataDiskFolder(folder)
src/virtualenv/util/lock.py+3 −4 modified@@ -17,9 +17,8 @@ class _CountedFileLock(FileLock): def __init__(self, lock_file) -> None: parent = os.path.dirname(lock_file) - if not os.path.isdir(parent): - with suppress(OSError): - os.makedirs(parent) + with suppress(OSError): + os.makedirs(parent, exist_ok=True) super().__init__(lock_file) self.count = 0 @@ -117,7 +116,7 @@ def _lock_file(self, lock, no_block=False): # noqa: FBT002 # a lock, but that lock might then become expensive, and it's not clear where that lock should live. # Instead here we just ignore if we fail to create the directory. with suppress(OSError): - os.makedirs(str(self.path)) + os.makedirs(str(self.path), exist_ok=True) try: lock.acquire(0.0001)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-597g-3phw-6986ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22702ghsaADVISORY
- github.com/pypa/virtualenv/commit/dec4cec5d16edaf83a00a658f32d1e032661cebcghsax_refsource_MISCWEB
- github.com/pypa/virtualenv/pull/3013ghsax_refsource_MISCWEB
- github.com/pypa/virtualenv/security/advisories/GHSA-597g-3phw-6986ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.