CVE-2026-25645
Insecure Temporary File Handling in Requests Library Allows Privilege Escalation
Publication date: 2026-03-25
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | requests | to 2.33.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-377 | Creating and using insecure temporary files can leave application and system data vulnerable to attack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25645 is a vulnerability in the Python Requests library, specifically in the function `requests.utils.extract_zipped_paths()`. This function extracts files from a ZIP archive into the system's temporary directory using predictable filenames, such as `cacert.pem`. If a file with the same name already exists in the temporary directory, the function reuses it without verifying its contents or ensuring a unique extraction. This flaw allows a local attacker with write access to the temporary directory to pre-create a malicious file that could be loaded by a vulnerable application, potentially compromising the integrity of the application.
The vulnerability affects Requests versions prior to 2.33.0 and is mitigated in version 2.33.0 by changing the extraction process to use randomized, non-deterministic temporary file locations, preventing predictable file reuse and race conditions.
How can this vulnerability impact me? :
This vulnerability can impact you if your application uses the Requests library and directly invokes the `extract_zipped_paths()` function to load CA bundles or other files from ZIP archives. A local attacker with write access to the system's temporary directory can pre-create a malicious file with a predictable name, which the vulnerable function may load instead of the legitimate file.
The impact is a potential integrity compromise, where the attacker can cause the application to use malicious certificate bundles, possibly leading to man-in-the-middle attacks or other security breaches. The vulnerability requires local access, low privileges, and user interaction, and it does not affect confidentiality or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects applications that directly invoke the function requests.utils.extract_zipped_paths() from the Requests library prior to version 2.33.0. Detection involves identifying if your environment uses a vulnerable Requests version and if any application code calls this specific function.
You can check the installed Requests version with the following command:
- python -c "import requests; print(requests.__version__)"
To detect if the vulnerable function is used, you may search your codebase for calls to extract_zipped_paths():
- grep -r 'extract_zipped_paths' /path/to/your/code
Additionally, check the /tmp directory for suspicious or pre-created files named cacert.pem or similar, which could indicate exploitation attempts:
- ls -l /tmp/cacert.pem
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the Requests library to version 2.33.0 or later, which patches the vulnerability by extracting files to randomized temporary locations.
If upgrading is not immediately possible, you can mitigate the risk by setting the TMPDIR environment variable to a directory with restricted write permissions, preventing local attackers from pre-creating malicious files in the temporary directory.
- Upgrade Requests: pip install --upgrade requests
- Set TMPDIR to a secure directory: export TMPDIR=/path/to/secure/tmp
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Requests library's extract_zipped_paths() function allows a local attacker to replace files extracted from zip archives with malicious files due to predictable temporary file paths and lack of validation. This can lead to integrity compromise of the extracted files.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity impact of this vulnerability could potentially affect compliance if the compromised files are part of systems handling sensitive or regulated data.
Applications that directly invoke this vulnerable function and fail to mitigate the issue may risk violating data integrity requirements mandated by such regulations, especially if malicious file replacement leads to unauthorized data modification or processing.
However, since standard usage of the Requests library is not affected and the vulnerability requires direct use of the specific function, the overall compliance risk depends on the specific application context and whether it processes regulated data using this vulnerable function.