CVE-2022-48682 in FDUPES
Summary
by MITRE • 04/26/2024
In deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows arbitrary file deletion via a symlink.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/24/2025
The vulnerability identified as CVE-2022-48682 resides within the deletefiles functionality of FDUPES version 2.1.9 and earlier, representing a critical security flaw that enables malicious actors to exploit a time-of-check to time-of-use race condition. This vulnerability specifically affects the file deletion process where the software performs a check to determine whether a file can be safely deleted and subsequently executes the deletion operation. The race condition occurs because the system checks file permissions or existence at one point in time and then performs the deletion action at a later point, creating an opportunity for attackers to manipulate the file system between these two operations.
The technical implementation of this vulnerability exploits the fundamental timing gap between when the software validates file access permissions and when it actually performs the deletion operation. An attacker can create a symbolic link that points to a target file they wish to delete, then quickly replace the original file with a new file while the deletion process is in progress. This manipulation allows the software to delete the attacker-controlled file instead of the intended target, effectively enabling arbitrary file deletion. The vulnerability is particularly dangerous because it leverages the inherent weakness in the software's file handling logic without requiring elevated privileges or complex exploitation techniques.
From an operational impact perspective, this vulnerability poses significant risks to systems that utilize FDUPES for duplicate file detection and cleanup operations. The race condition can be exploited in various scenarios including automated file management systems, backup processes, and system maintenance utilities that rely on FDUPES for duplicate detection. Attackers can leverage this vulnerability to remove critical system files, configuration files, or user data, potentially leading to system instability, data loss, or complete system compromise. The vulnerability is particularly concerning in environments where FDUPES is used in automated scripts or with elevated privileges, as the attack surface expands significantly.
The root cause of this vulnerability aligns with CWE-367, which describes Time-of-Check to Time-of-Use (TOCTOU) race conditions, and can be mapped to ATT&CK technique T1486, which covers Data Destruction. The vulnerability demonstrates poor defensive programming practices where the software does not properly synchronize file system operations or maintain consistent state throughout the deletion process. Organizations should consider implementing immediate mitigations by upgrading to FDUPES version 2.2.0 or later, which addresses the race condition through proper synchronization mechanisms. Additional protective measures include implementing strict file system permissions, monitoring for suspicious symbolic link creation patterns, and conducting regular security audits of automated file management processes. System administrators should also consider disabling or restricting the use of FDUPES in environments where it might be exploited, particularly in scenarios involving sensitive data or critical system files.