Go filepath Package TOCTOU Race Condition Vulnerability in Walk and WalkDir Functions

A time-of-check-to-time-of-use (TOCTOU) race condition vulnerability has been identified in the Go programming language's filepath package, specifically in the Walk and WalkDir functions. Although these functions are intended not to follow symbolic links, they can be manipulated by replacing a portion of the path with a symbolic link while the function is still processing the original path. This vulnerability takes advantage of the inherent timing race in the Walk and WalkDir APIs, where file names are provided to a callback function that can be interrupted before the file is accessed. As a result, a callback that needs to avoid symlink traversal must use a more secure file access method. This vulnerability has been assigned CVE-2024-8244.

Impact

Exploitation of this vulnerability could lead to unauthorized access or modification of files by traversing symbolic links in a way that bypasses the intended safeguards of the Walk and WalkDir functions.