CVE Vulnerabilities

CVE-2026-25645

Insecure Temporary File

Published: Mar 25, 2026 | Modified: Mar 30, 2026
CVSS 3.x
5.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
4.7 MODERATE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Ubuntu
LOW
root.io logo minimus.io logo echo.ai logo

Requests is a HTTP library. Prior to version 2.33.0, the requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Weakness

Creating and using insecure temporary files can leave application and system data vulnerable to attack.

Affected Software

NameVendorStart VersionEnd Version
RequestsPython*2.33.0 (excluding)
Python-pipUbuntuesm-apps/xenial*
RequestsUbuntuesm-infra/xenial*
RequestsUbuntuupstream*

References