CVE-2026-25645
Received Received - Intake
Insecure Temporary File Handling in Requests Library Allows Privilege Escalation

Publication date: 2026-03-25

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25645
EUVD
EUVD-2026-15754
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python requests to 2.33.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25645 is a vulnerability in the Python Requests library, specifically in the function `requests.utils.extract_zipped_paths()`. This function extracts files from a ZIP archive into the system's temporary directory using predictable filenames, such as `cacert.pem`. If a file with the same name already exists in the temporary directory, the function reuses it without verifying its contents or ensuring a unique extraction. This flaw allows a local attacker with write access to the temporary directory to pre-create a malicious file that could be loaded by a vulnerable application, potentially compromising the integrity of the application.

The vulnerability affects Requests versions prior to 2.33.0 and is mitigated in version 2.33.0 by changing the extraction process to use randomized, non-deterministic temporary file locations, preventing predictable file reuse and race conditions.

Impact Analysis

This vulnerability can impact you if your application uses the Requests library and directly invokes the `extract_zipped_paths()` function to load CA bundles or other files from ZIP archives. A local attacker with write access to the system's temporary directory can pre-create a malicious file with a predictable name, which the vulnerable function may load instead of the legitimate file.

The impact is a potential integrity compromise, where the attacker can cause the application to use malicious certificate bundles, possibly leading to man-in-the-middle attacks or other security breaches. The vulnerability requires local access, low privileges, and user interaction, and it does not affect confidentiality or availability.

Detection Guidance

This vulnerability affects applications that directly invoke the function requests.utils.extract_zipped_paths() from the Requests library prior to version 2.33.0. Detection involves identifying if your environment uses a vulnerable Requests version and if any application code calls this specific function.

You can check the installed Requests version with the following command:

  • python -c "import requests; print(requests.__version__)"

To detect if the vulnerable function is used, you may search your codebase for calls to extract_zipped_paths():

  • grep -r 'extract_zipped_paths' /path/to/your/code

Additionally, check the /tmp directory for suspicious or pre-created files named cacert.pem or similar, which could indicate exploitation attempts:

  • ls -l /tmp/cacert.pem
Mitigation Strategies

The primary mitigation is to upgrade the Requests library to version 2.33.0 or later, which patches the vulnerability by extracting files to randomized temporary locations.

If upgrading is not immediately possible, you can mitigate the risk by setting the TMPDIR environment variable to a directory with restricted write permissions, preventing local attackers from pre-creating malicious files in the temporary directory.

  • Upgrade Requests: pip install --upgrade requests
  • Set TMPDIR to a secure directory: export TMPDIR=/path/to/secure/tmp
Compliance Impact

The vulnerability in the Requests library's extract_zipped_paths() function allows a local attacker to replace files extracted from zip archives with malicious files due to predictable temporary file paths and lack of validation. This can lead to integrity compromise of the extracted files.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity impact of this vulnerability could potentially affect compliance if the compromised files are part of systems handling sensitive or regulated data.

Applications that directly invoke this vulnerable function and fail to mitigate the issue may risk violating data integrity requirements mandated by such regulations, especially if malicious file replacement leads to unauthorized data modification or processing.

However, since standard usage of the Requests library is not affected and the vulnerability requires direct use of the specific function, the overall compliance risk depends on the specific application context and whether it processes regulated data using this vulnerable function.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25645. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart