Race Condition Affecting tenzir/tenzir package, versions [,2020.01.31)

Q: How to fix?

Upgrade tenzir/tenzir to version 2020.01.31 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-UNMANAGED-TENZIRTENZIR-14157237
published5 Dec 2025
disclosed2 Dec 2025
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 2 Dec 2025

NewCWE-362 (opens in a new tab)

How to fix?

Upgrade tenzir/tenzir to version 2020.01.31 or higher.

Overview

Affected versions of this package are vulnerable to Race Condition via a race condition in the index query logic during export operations. Improper synchronization in the vast export path allows concurrent index access to return incomplete or empty result sets. An attacker can exploit this by triggering concurrent exports or timing queries during index updates, causing sensitive data to be omitted from results and enabling log evasion or concealment of malicious activity.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None