CWE-362 Race Condition (TOCTOU)

What this means

SiteShadow flagged a check‑then‑use pattern where state can change between two operations (classic TOCTOU). Example: "check file exists" then "open file", or "check permission" then "perform action".

Why it matters

Attackers can change state between a check and the action.

• File exploits: symlinks/path swaps can redirect reads/writes.
• Authz bypass edge cases: state changes between checks can slip through.
• Hard to reproduce, so it often survives into production.

Safer examples

1) Use atomic operations

Use OS/library calls that combine the check and the use (platform dependent).

2) Prefer handles over paths

Operate on file descriptors/handles rather than re-resolving attacker-controlled paths.

3) Avoid world-writable directories for sensitive operations

Use application-owned directories with strict permissions and safe temp helpers.

How SiteShadow detects it (high level)

• Looks for patterns like exists/stat/access followed by open/write on the same target, especially with user-controlled paths.
• Flags common TOCTOU patterns around temp files and uploads.

References

• CWE-362: https://cwe.mitre.org/data/definitions/362.html

---

← Back to Vulnerability Library