CWE-362 Race Condition (TOCTOU)
Coverage: 9 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 9 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged a check‑then‑use pattern where state can change between two operations (classic TOCTOU). Example: "check file exists" then "open file", or "check permission" then "perform action".
Why it matters
Attackers can change state between a check and the action.
- File exploits: symlinks/path swaps can redirect reads/writes.
- Authz bypass edge cases: state changes between checks can slip through.
- Hard to reproduce, so it often survives into production.
Safer examples
1) Use atomic operations
Use OS/library calls that combine the check and the use (platform dependent).
2) Prefer handles over paths
Operate on file descriptors/handles rather than re-resolving attacker-controlled paths.
3) Avoid world-writable directories for sensitive operations
Use application-owned directories with strict permissions and safe temp helpers.
How SiteShadow detects it (high level)
- Looks for patterns like
exists/stat/accessfollowed byopen/writeon the same target, especially with user-controlled paths. - Flags common TOCTOU patterns around temp files and uploads.
References
- CWE-362: https://cwe.mitre.org/data/definitions/362.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.