Skip to content

[GHSA-597g-3phw-6986] virtualenv@20.31.2: TOCTOU vulnerability in directory creation #381

New issue
New issue
Open
Open
[GHSA-597g-3phw-6986] virtualenv@20.31.2: TOCTOU vulnerability in directory creation#381
Labels
securitySecurity-related issuesvulnerabilityDependency vulnerability
@nthmost-orkes

Description

@nthmost-orkes
nthmost-orkes
opened on Feb 27, 2026

Vulnerability Report

Package: virtualenv (transitive dependency)
Installed Version: 20.31.2

CVEs

CVE / GHSA ID Description Severity Fixed In
GHSA-597g-3phw-6986 TOCTOU Vulnerabilities in Directory Creation Medium 20.36.1

Details

virtualenv 20.31.2 contains a TOCTOU (Time-of-Check Time-of-Use) vulnerability in its directory creation logic. An attacker with local access could exploit the race condition between checking and creating directories to redirect virtualenv operations via symlinks.

Fixed in virtualenv >= 20.36.1.

Impact

virtualenv is a transitive dependency, pulled in via pre-commit (a dev dependency). The attack surface is limited to local development environments where an attacker has write access to the filesystem.

Remediation

Constrain virtualenv >= 20.36.1 in dev dependencies or update pre-commit to a version that pulls in the patched virtualenv.

Found by osv-scanner

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-related issuesvulnerabilityDependency vulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions