Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.
Affected versions
Details
### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ### Affected usages **Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted. ### Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.
The fix
Merge commit from fork
src/requests/utils.py+7 −6
@@ -282,12 +282,13 @@ def extract_zipped_paths(path):return path# we have a valid zip archive and a valid member of that archive-tmp = tempfile.gettempdir()-extracted_path = os.path.join(tmp, member.split("/")[-1])-if not os.path.exists(extracted_path):-# use read + write to avoid the creating nested folders, we only want the file, avoids mkdir racing condition-with atomic_open(extracted_path) as file_handler:-file_handler.write(zip_file.read(member))+suffix = os.path.splitext(member.split("/")[-1])[-1]+fd, extracted_path = tempfile.mkstemp(suffix=suffix)+try:+os.write(fd, zip_file.read(member))+finally:+os.close(fd)+return extracted_path
References
- WEBhttps://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-25645
- WEBhttps://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7
- PACKAGEhttps://github.com/psf/requests
- WEBhttps://github.com/psf/requests/releases/tag/v2.33.0