CVE-2026-25645

Requests is a HTTP library. Prior to version 2.33.0, the function requests.utils.extract zipped paths() (which is used by HTTPAdapter.cert verify() to load the CA bundle, often from the certifi package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., cacert.pem) when attempting to extract files into the system's temporary directory (/tmp). The vulnerable logic performs a check to see if the target file already exists in /tmp and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., /tmp/cacert.pem) before a vulnerable application (running with potentially higher privileges) initializes the requests library. Version 2.33.0 contains a patch.