CVE-2026-25645

Published: Mar 25, 2026

Modified: Mar 25, 2026

PUBLISHED

CVSS v3.1

4.4

MEDIUM

Description

Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.

Vendor	Product	Versions
psf	requests	affected `< 2.33.0`

Weaknesses (CWE)

CWE-377

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2

x_refsource_CONFIRM

https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7

x_refsource_MISC

https://github.com/psf/requests/releases/tag/v2.33.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-25645

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References