Description

Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.

INFO

Published Date :

2026-03-25T17:02:48.402Z

Last Modified :

2026-03-25T22:48:33.406Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25645 vulnerability.

Vendors Products
Psf
  • Psf-requests
Python
  • Requests
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25645.

URL Resource
https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7 cve-icon cve-icon cve-icon
https://github.com/psf/requests/releases/tag/v2.33.0 cve-icon cve-icon cve-icon
https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-25645 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-25645 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact