CVE-2026-25645: Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

March 25, 2026 (updated March 27, 2026)

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

References

github.com/advisories/GHSA-gc5v-m9x4-r6x2
github.com/psf/requests
github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7
github.com/psf/requests/releases/tag/v2.33.0
github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2
nvd.nist.gov/vuln/detail/CVE-2026-25645

Code Behaviors & Features

Detect and mitigate CVE-2026-25645 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →