Python Requests Library Security Flaw: CVE-2026-25645 Exposes Systems to Local File Hijack

A critical security vulnerability has been disclosed in the widely-used Python `requests` library, tracked as CVE-2026-25645. The flaw resides in the `requests.utils.extract_zipped_paths()` utility function, which can be exploited by a local attacker to hijack file loading and execute malicious code. This is not a remote code execution flaw, but a local privilege escalation vector that could compromise systems where the library is used to process zip files from untrusted sources.

The vulnerability stems from the function's use of a predictable filename when extracting files into the system's temporary directory. If a file with that name already exists, the function reuses it without performing any validation. This creates a race condition and a symlink attack surface. An attacker with write access to the global temporary directory could pre-create a malicious file, which would then be loaded in place of the legitimate archive content when the `requests` library is invoked. The flaw affects all standard usages of this utility function.

The maintainers have released `requests` version 2.33.0 to patch this security hole. The update changes the dependency requirement from `==2.32.4` to `==2.33.0`. The GitHub repository now displays an OpenSSF Scorecard badge, reflecting ongoing security scrutiny. This incident underscores the persistent risks in foundational software supply chains, where a single utility function in a ubiquitous library can introduce a systemic weakness. All projects depending on `requests` must immediately update to the patched version to mitigate the local file hijack risk.