Description
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.
Published: 2026-03-25
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Temp File Overwrite
Action: Patch Now
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc5v-m9x4-r6x2 Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
History

Mon, 30 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python requests
CPEs cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*
Vendors & Products Python
Python requests

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-379
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Psf
Psf psf-requests
Vendors & Products Psf
Psf psf-requests

Wed, 25 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description Requests is a HTTP library. Prior to version 2.33.0, the function `requests.utils.extract_zipped_paths()` (which is used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., `cacert.pem`) when attempting to extract files into the system's temporary directory (`/tmp`). The vulnerable logic performs a check to see if the target file already exists in `/tmp` and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., `/tmp/cacert.pem`) before a vulnerable application (running with potentially higher privileges) initializes the `requests` library. Version 2.33.0 contains a patch. Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Requests is a HTTP library. Prior to version 2.33.0, the function `requests.utils.extract_zipped_paths()` (which is used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., `cacert.pem`) when attempting to extract files into the system's temporary directory (`/tmp`). The vulnerable logic performs a check to see if the target file already exists in `/tmp` and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., `/tmp/cacert.pem`) before a vulnerable application (running with potentially higher privileges) initializes the `requests` library. Version 2.33.0 contains a patch.
Title Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Weaknesses CWE-377
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Psf Psf-requests
Python Requests
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T22:48:33.406Z

Reserved: 2026-02-04T05:15:41.791Z

Link: CVE-2026-25645

cve-icon Vulnrichment

Updated: 2026-03-25T20:09:37.239Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:52.970

Modified: 2026-03-30T14:23:16.127

Link: CVE-2026-25645

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T17:02:48Z

Links: CVE-2026-25645 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:59Z

Weaknesses