CVE-2026-25645

Published: Mar 25, 2026 Last Modified: Mar 25, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,4
Source: [email protected]
Attack Vector: local
Attack Complexity: high
Privileges Required: low
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: high
Availability: none

Description

AI Translation Available

Requests is a HTTP library. Prior to version 2.33.0, the function `requests.utils.extract_zipped_paths()` (which is used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., `cacert.pem`) when attempting to extract files into the system's temporary directory (`/tmp`). The vulnerable logic performs a check to see if the target file already exists in `/tmp` and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., `/tmp/cacert.pem`) before a vulnerable application (running with potentially higher privileges) initializes the `requests` library. Version 2.33.0 contains a patch.

377

Insecure Temporary File

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity
Potential Impacts:
Read Files Or Directories Modify Files Or Directories
Applicable Platforms
All platforms may be affected
View CWE Details
https://github.com/psf/requests/commit/66d21cb07bd6255b1280…
https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7
https://github.com/psf/requests/releases/tag/v2.33.0
https://github.com/psf/requests/releases/tag/v2.33.0
https://github.com/psf/requests/security/advisories/GHSA-gc…
https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2