Skip to content

TOCTOU race allows symlink traversal even when follow_links is disabled #209

Description

@DepthFirstDisclosures

A time-of-check/time-of-use (TOCTOU) race condition allows walkdir to traverse a symlink even with follow_links disabled, the default behavior.

When a privileged process uses walkdir on directories writable by an untrusted user, an attacker can exploit this race to redirect traversal into unintended filesystem locations. This violates the documented guarantee that walkdir does not follow symlinks unless explicitly enabled.

Technical Details

walkdir verifies an entry’s type in handle_entry() and later opens it in push() using fs::read_dir(). These are separate filesystem operations. If an attacker replaces the checked directory with a symlink between those calls, walkdir will descend into the symlink despite follow_links(false).

Impact

This behavior breaks a core safety property relied on by callers using walkdir to traverse untrusted paths. In higher-privilege contexts, it can result in traversal outside the intended directory tree. Depending on how the application uses the enumerated paths, this can enable unauthorized data access, modification, or other security violations.

Fix

A complete fix is non-trivial and likely requires internal refactoring.

Status: CVE requested; ID pending. This public Github issue is filed following the maintainer’s guidance.

Researched by Mav Levin @ DepthFirst

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions