| Name | CVE-2026-25645 |
| Description | Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1132071 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| requests (PTS) | bullseye | 2.25.1+dfsg-2 | vulnerable |
| bookworm | 2.28.1+dfsg-1 | vulnerable |
| trixie | 2.32.3+dfsg-5+deb13u1 | vulnerable |
| forky, sid | 2.32.5+dfsg-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| requests | source | (unstable) | (unfixed) | | | 1132071 |
Notes
[trixie] - requests <no-dsa> (Minor issue)
[bookworm] - requests <no-dsa> (Minor issue)
[bullseye] - requests <postponed> (Minor issue, no direct call to extract_zipped_paths found at codesearch.debian.net, work-around exist)
https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2
Fixed by: https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7 (v2.33.0)