Jaycelation

**Name of the Vulnerable Software and Affected Versions** Requests versions prior to 2.33.0 **Description** The `requests.utils.extract zipped paths()` function uses a predictable filename when extracting files from zip archives into the system temporary directory. If a file with the same name already exists, it is reused without validation. A local attacker with write access to the temporary directory could pre-create a malicious file that would be loaded in place of the legitimate one. This impacts applications that directly call `extract zipped paths()`. The function `requests.utils.extract zipped paths()` is used by `HTTPAdapter.cert verify()` to load the CA bundle. **Recommendations** Versions prior to 2.33.0 should be upgraded to version 2.33.0 or later. If upgrading is not possible, set the `TMPDIR` environment variable to a directory with restricted write access.