CVE-2026-25645

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Requests versions prior to 2.33.0

Description The requests.utils.extract zipped paths() function uses a predictable filename when extracting files from zip archives into the system temporary directory. If a file with the same name already exists, it is reused without validation. A local attacker with write access to the temporary directory could pre-create a malicious file that would be loaded in place of the legitimate one. This impacts applications that directly call extract zipped paths(). The function requests.utils.extract zipped paths() is used by HTTPAdapter.cert verify() to load the CA bundle.

Recommendations Versions prior to 2.33.0 should be upgraded to version 2.33.0 or later. If upgrading is not possible, set the TMPDIR environment variable to a directory with restricted write access.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-377

Related Identifiers

BDU:2026-07739

CVE-2026-25645

ECHO-74D4-CC6F-7870

GHSA-GC5V-M9X4-R6X2

OESA-2026-1909

OPENSUSE-SU-2026:10455-1

SUSE-SU-2026:1218-1

SUSE-SU-2026:1644-1

SUSE-SU-2026:1647-1

SUSE-SU-2026:21036-1

SUSE-SU-2026:21063-1

Affected Products

Red Os

Requests

CVE-2026-25645

Weakness Enumeration

Related Identifiers

Affected Products

References · 42