{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25645", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.791Z", "datePublished": "2026-03-25T17:02:48.402Z", "dateUpdated": "2026-03-25T22:48:33.406Z"}, "containers": {"cna": {"title": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function", "problemTypes": [{"descriptions": [{"cweId": "CWE-377", "lang": "en", "description": "CWE-377: Insecure Temporary File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"}, {"name": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7", "tags": ["x_refsource_MISC"], "url": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"}, {"name": "https://github.com/psf/requests/releases/tag/v2.33.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/psf/requests/releases/tag/v2.33.0"}], "affected": [{"vendor": "psf", "product": "requests", "versions": [{"version": "< 2.33.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:48:33.406Z"}, "descriptions": [{"lang": "en", "value": "Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access."}], "source": {"advisory": "GHSA-gc5v-m9x4-r6x2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:09:33.855806Z", "id": "CVE-2026-25645", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:09:40.551Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25645", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:09:33.855806Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:09:37.239Z"}}], "cna": {"title": "Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function", "source": {"advisory": "GHSA-gc5v-m9x4-r6x2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "psf", "product": "requests", "versions": [{"status": "affected", "version": "< 2.33.0"}]}], "references": [{"url": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2", "name": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7", "name": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/psf/requests/releases/tag/v2.33.0", "name": "https://github.com/psf/requests/releases/tag/v2.33.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Requests is a HTTP library. Prior to version 2.33.0, the function `requests.utils.extract_zipped_paths()` (which is used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., `cacert.pem`) when attempting to extract files into the system's temporary directory (`/tmp`). The vulnerable logic performs a check to see if the target file already exists in `/tmp` and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., `/tmp/cacert.pem`) before a vulnerable application (running with potentially higher privileges) initializes the `requests` library. Version 2.33.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-377", "description": "CWE-377: Insecure Temporary File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T17:02:48.402Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25645", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:09:40.551Z", "dateReserved": "2026-02-04T05:15:41.791Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T17:02:48.402Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Requests is a HTTP library. Prior to version 2.33.0, the function `requests.utils.extract_zipped_paths()` (which is used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., `cacert.pem`) when attempting to extract files into the system's temporary directory (`/tmp`). The vulnerable logic performs a check to see if the target file already exists in `/tmp` and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., `/tmp/cacert.pem`) before a vulnerable application (running with potentially higher privileges) initializes the `requests` library. Version 2.33.0 contains a patch."}], "id": "CVE-2026-25645", "lastModified": "2026-03-25T17:16:52.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:52.970", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7"}, {"source": "security-advisories@github.com", "url": "https://github.com/psf/requests/releases/tag/v2.33.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-377"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:07:59.892943+00:00", "value": {"mitigation_remediation": ["Upgrade the Requests library to version 2.33.0 or later, which removes the insecure temporary file reuse logic.", "If an immediate upgrade is not possible, ensure that the application process does not have write access to the system temporary directory or that it runs under least\u2011privilege user accounts to prevent local file creation.", "Configure an alternative temporary directory (e.g., by setting the TMPDIR environment variable) and enforce stricter permissions so that only trusted processes can write temporary files.", "As a temporary measure, manually provide a CA bundle path when creating a Session object to avoid automatic loading from the compromised temporary location."], "summary": {"action": "Patch", "impact": "SSL/TLS interception via forged CA bundle"}, "threat_synthesis": {"affected_systems": "The affected product is the Requests HTTP library maintained by the Python Software Foundation. All releases prior to 2.33.0 contain the insecure file reuse logic. The flaw is exercised during the HTTPAdapter.cert_verify() initialization that loads the CA bundle, commonly from the certifi package\u2019s zipapp structure. Systems that rely on older Requests versions and use the default certifi bundle are impacted.", "description_and_impact": "The vulnerability stems from the Requests library\u2019s temporary file handling routine, which re\u2011uses a predictable filename when extracting files into the system temporary directory. A local attacker who can write to the temporary location can pre\u2011create a malicious CA bundle (for example, /tmp/cacert.pem). When the application subsequently imports Requests, the library will load this tampered bundle and trust certificates signed with the fake CA. This allows the attacker to perform man\u2011in\u2011the\u2011middle attacks against HTTPS traffic, compromising confidentiality and integrity for all traffic sent with that instance of Requests, while the attacker remains local to the machine.", "risk_and_exploitability": "The CVSS v3.1 score of 4.4 indicates a low\u2011to\u2011moderate severity. Exploitation requires local write access to the temporary directory (typically /tmp) and the ability to start a privileged Requests process after the malicious file has been staged. The exploit does not involve remote code execution and is not currently listed in CISA\u2019s KEV catalog, nor does it have an EPSS score available. Consequently, the risk is moderate; systems that run Requests under elevated privileges or in environments where local attackers can write to /tmp should be patched or hardened promptly."}}}}, "created": "2026-03-25T21:46:40.533125+00:00", "updated": "2026-03-25T21:46:40.533157+00:00", "vendors": []}