Race Condition
Two execution paths share state without proper synchronisation; the outcome depends on timing. Classic forms include TOCTOU (time-of-check vs time-of-use) and lost updates in databases.
GateTest coverage
Caught by: raceCondition
Example
if (fs.existsSync(path)) { fs.unlinkSync(path) } — between exists and unlink, an attacker swaps the file to a symlink.How to fix it
For filesystem: avoid check-then-act; use atomic operations (open with O_CREAT|O_EXCL). For databases: use transactions and SELECT FOR UPDATE or UPSERT. raceCondition catches the common JS/Node TOCTOU + ORM get-or-create patterns.
Scan your repo for CWE-362
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-362 (Race Condition)?
Two execution paths share state without proper synchronisation; the outcome depends on timing. Classic forms include TOCTOU (time-of-check vs time-of-use) and lost updates in databases.
How do I fix race condition?
For filesystem: avoid check-then-act; use atomic operations (open with O_CREAT|O_EXCL). For databases: use transactions and SELECT FOR UPDATE or UPSERT. raceCondition catches the common JS/Node TOCTOU + ORM get-or-create patterns.
Does GateTest detect race condition?
Yes — GateTest's raceCondition module catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Race Condition in the CWE Top 25?
Race Condition is ranked #21 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).