virtualenv TOCTOU Vulnerability in Directory Creation Allows Symlink-Based Attacks

A TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in virtualenv, a tool for creating isolated Python environments, prior to version 20.36.1. This vulnerability allows local attackers to perform symlink-based attacks during directory creation operations. By exploiting a race condition between checking if a directory exists and creating it, an attacker can redirect virtualenv's app_data and lock file operations to locations under their control. This issue has been patched in version 20.36.1.

Impact

Exploitation of this vulnerability could lead to cache poisoning, where an attacker corrupts Python package metadata; information disclosure, allowing access to sensitive cached data; bypassing of lock file mechanisms, causing concurrent access issues; and denial-of-service conditions by starving locks, which prevents normal virtualenv operations.

Reproduction

The vulnerability can be reproduced by creating a symlink at the target directory path between the existence check and the creation step. This can be done by manipulating the timing of the operations, taking advantage of the race condition to intercept the directory creation process.

Remediation

Users are advised to upgrade to virtualenv version 20.36.2 or later. If an immediate upgrade is not possible, ensure that the VIRTUALENV_OVERRIDE_APP_DATA environment variable points to a directory that is user-owned and has restricted permissions. Avoid using virtualenv in shared temporary directories where other users can write, and consider using separate user accounts for different projects to keep app_data directories isolated.