anonhaven
Ad

CVE-2026-25645

MEDIUM CVSS 3.1: 5.5 EPSS 0.00%
Updated Mar 30, 2026
Python
Parameter Value
CVSS 5.5 (MEDIUM)
Affected Versions before 2.33.0
Fixed In 2.33.0
Type CWE-377
Vendor Python
Public PoC No

Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation.

A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted.

Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-377

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Python Requests
cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*
 2.33.0

References 3

https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7
security-advisories@github.com
https://github.com/psf/requests/releases/tag/v2.33.0
security-advisories@github.com
https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-5271

Python

5.6

CVE-2026-32274

Python

8.7

CVE-2026-31900

GitHub

8.7

CVE-2026-21441

Python

8.9