Security context
Medium· 4.4GHSA-gc5v-m9x4-r6x2 CVE-2026-25645CWE-377Published Mar 25, 2026

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

Research this vulnerability

Research is free — Hunters explains how the bug works, the root-cause code pattern, how the fix addresses it, and how to test whether a target is affected, in chat. Investigate & write exploit is a paid run — the engine reads the advisory and fix commits, then builds and validates a working proof-of-concept exploit with reproduction steps.

Affected versions

0 → fixed in 2.33.0

Details

### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ### Affected usages **Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted. ### Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.

The fix

Merge commit from fork

Nate Prewitt· Mar 25, 2026, 02:57 PM+7666d21cb07b
src/requests/utils.py+7 6
@@ -282,12 +282,13 @@ def extract_zipped_paths(path):
return path
# we have a valid zip archive and a valid member of that archive
- tmp = tempfile.gettempdir()
- extracted_path = os.path.join(tmp, member.split("/")[-1])
- if not os.path.exists(extracted_path):
- # use read + write to avoid the creating nested folders, we only want the file, avoids mkdir racing condition
- with atomic_open(extracted_path) as file_handler:
- file_handler.write(zip_file.read(member))
+ suffix = os.path.splitext(member.split("/")[-1])[-1]
+ fd, extracted_path = tempfile.mkstemp(suffix=suffix)
+ try:
+ os.write(fd, zip_file.read(member))
+ finally:
+ os.close(fd)
+
return extracted_path

References