Time of Check Time of Use (TOCTOU) Affecting chownr package, versions <1.1.0



    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    EPSS 0.04% (6th percentile)
Expand this section
2.5 low
Expand this section
Red Hat
7.7 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:chownr:20180731
  • published 31 Jul 2018
  • disclosed 31 Jul 2018
  • credit Jeff Epler

How to fix?

Upgrade chownr to version 1.1.0 or higher.


chownr is a package that takes the same arguments as fs.chown()

Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU). Affected versions of this package are vulnerable toTime of Check Time of Use (TOCTOU) attacks.

It does not dereference symbolic links and changes the owner of the link, which can trick it into descending into unintended trees if a non-symlink is replaced by a symlink at a critical moment:

      fs.lstat(pathChild, function(er, stats) {
        if (er)
          return cb(er)
        if (!stats.isSymbolicLink())
          chownr(pathChild, uid, gid, then)