Description
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.
Published: 2026-03-25
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Temp File Overwrite
Action: Patch Now
AI Analysis

Impact

The utility function extract_zipped_paths() creates a predictable temporary file name, letting a local attacker who can write to the system temp directory pre‑create a malicious file that will be reused by the library, allowing the application to load harmful data or code. This vulnerability only affects the Requests library when extract_zipped_paths() is called directly and does not impact standard HTTP request usage. The result is a local file overwrite that could lead to arbitrary code execution within the process.

Affected Systems

The Python Requests library versions prior to 2.33.0 are affected. Any application that imports or invokes extract_zipped_paths() may be vulnerable. The fix is available in version 2.33.0 and newer, which extracts files to a nondeterministic location. The vulnerability concerns the requests.utils module in the psf:requests product.

Risk and Exploitability

The CVSS score is 4.4, indicating moderate severity, and the EPSS score is less than 1%, meaning a low likelihood of exploitation in the wild. Furthermore, the vulnerability is not listed in the CISA KEV catalog. Exploitation requires local write access to the temporary directory and direct use of extract_zipped_paths(); thus, the attack vector is local only. Mitigation consists mainly of upgrading the library or configuring the environment variable TMPDIR to a directory with restricted write permissions.

Generated by OpenCVE AI on March 30, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Requests library to version 2.33.0 or later.
  • If an upgrade is not possible, set the TMPDIR environment variable to a directory that is not writable by untrusted users.
  • Verify that your application does not call extract_zipped_paths() with untrusted input.
  • Monitor the temporary directory for unauthorized or unexpected file creations.

Generated by OpenCVE AI on March 30, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc5v-m9x4-r6x2 Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
History

Mon, 30 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Python
Python requests
CPEs cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*
Vendors & Products Python
Python requests

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-379
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Psf
Psf psf-requests
Vendors & Products Psf
Psf psf-requests

Wed, 25 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description Requests is a HTTP library. Prior to version 2.33.0, the function `requests.utils.extract_zipped_paths()` (which is used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., `cacert.pem`) when attempting to extract files into the system's temporary directory (`/tmp`). The vulnerable logic performs a check to see if the target file already exists in `/tmp` and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., `/tmp/cacert.pem`) before a vulnerable application (running with potentially higher privileges) initializes the `requests` library. Version 2.33.0 contains a patch. Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Requests is a HTTP library. Prior to version 2.33.0, the function `requests.utils.extract_zipped_paths()` (which is used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., `cacert.pem`) when attempting to extract files into the system's temporary directory (`/tmp`). The vulnerable logic performs a check to see if the target file already exists in `/tmp` and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., `/tmp/cacert.pem`) before a vulnerable application (running with potentially higher privileges) initializes the `requests` library. Version 2.33.0 contains a patch.
Title Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Weaknesses CWE-377
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Psf Psf-requests
Python Requests
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T22:48:33.406Z

Reserved: 2026-02-04T05:15:41.791Z

Link: CVE-2026-25645

cve-icon Vulnrichment

Updated: 2026-03-25T20:09:37.239Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:52.970

Modified: 2026-03-30T14:23:16.127

Link: CVE-2026-25645

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T17:02:48Z

Links: CVE-2026-25645 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:59Z

Weaknesses