CVE-2026-25645 (GCVE-0-2026-25645)

Vulnerability from cvelistv5 – Published: 2026-03-25 17:02 – Updated: 2026-03-25 22:48
VLAI?
Title
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Summary
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.
Severity ?
4.4 (Medium)
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
CWE
  • CWE-377 - Insecure Temporary File
Assigner
References
Impacted products
Vendor Product Version
psf requests Affected: < 2.33.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25645",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T20:09:33.855806Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T20:09:40.551Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "requests",
          "vendor": "psf",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.33.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-377",
              "description": "CWE-377: Insecure Temporary File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T22:48:33.406Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"
        },
        {
          "name": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"
        },
        {
          "name": "https://github.com/psf/requests/releases/tag/v2.33.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/psf/requests/releases/tag/v2.33.0"
        }
      ],
      "source": {
        "advisory": "GHSA-gc5v-m9x4-r6x2",
        "discovery": "UNKNOWN"
      },
      "title": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25645",
    "datePublished": "2026-03-25T17:02:48.402Z",
    "dateReserved": "2026-02-04T05:15:41.791Z",
    "dateUpdated": "2026-03-25T22:48:33.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25645\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-25T17:16:52.970\",\"lastModified\":\"2026-03-30T14:23:16.127\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.\"},{\"lang\":\"es\",\"value\":\"Requests es una biblioteca HTTP. Antes de la versi\u00f3n 2.33.0, la funci\u00f3n de utilidad \u0027requests.utils.extract_zipped_paths()\u0027 utiliza un nombre de archivo predecible al extraer archivos de archivos zip en el directorio temporal del sistema. Si el archivo de destino ya existe, se reutiliza sin validaci\u00f3n. Un atacante local con acceso de escritura al directorio temporal podr\u00eda pre-crear un archivo malicioso que se cargar\u00eda en lugar del leg\u00edtimo. El uso est\u00e1ndar de la biblioteca Requests no se ve afectado por esta vulnerabilidad. Solo las aplicaciones que llaman a \u0027extract_zipped_paths()\u0027 directamente se ven afectadas. A partir de la versi\u00f3n 2.33.0, la biblioteca extrae archivos a una ubicaci\u00f3n no determinista. Si los desarrolladores no pueden actualizar, pueden establecer \u0027TMPDIR\u0027 en su entorno a un directorio con acceso de escritura restringido.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-377\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.33.0\",\"matchCriteriaId\":\"B164516D-2E98-41D4-9CB7-40FD49A1B6D9\"}]}]}],\"references\":[{\"url\":\"https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/psf/requests/releases/tag/v2.33.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25645\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T20:09:33.855806Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T20:09:37.239Z\"}}], \"cna\": {\"title\": \"Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function\", \"source\": {\"advisory\": \"GHSA-gc5v-m9x4-r6x2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"psf\", \"product\": \"requests\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.33.0\"}]}], \"references\": [{\"url\": \"https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2\", \"name\": \"https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7\", \"name\": \"https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/psf/requests/releases/tag/v2.33.0\", \"name\": \"https://github.com/psf/requests/releases/tag/v2.33.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-377\", \"description\": \"CWE-377: Insecure Temporary File\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-25T22:48:33.406Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25645\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T22:48:33.406Z\", \"dateReserved\": \"2026-02-04T05:15:41.791Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-25T17:02:48.402Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.