Requests Library Security Flaw: CVE-2026-25645 Exposes Systems to Zip Slip Risk

A critical security vulnerability has been identified in the widely-used Python `requests` library, tracked as CVE-2026-25645. The flaw resides in the `requests.utils.extract_zipped_paths()` utility function, which uses a predictable filename when extracting files from zip archives into the system's temporary directory. This predictable naming pattern creates a classic path traversal or 'Zip Slip' vulnerability, where a maliciously crafted archive could overwrite critical system files or lead to arbitrary code execution.

The vulnerability is present in versions prior to 2.33.0. The issue was addressed in the newly released version 2.33.0, prompting automated dependency management tools like Renovate to generate pull requests for immediate updates. The update is flagged with high confidence and low age, indicating a recent and critical fix. The advisory, published by the Python Software Foundation (PSF), which maintains the `requests` library, underscores the severity by linking directly to the GitHub Security Advisory (GHSA-gc5v-m9x4-r6x2).

Given that `requests` is a foundational dependency for millions of Python applications, web services, and data pipelines, this vulnerability poses a significant supply chain risk. Organizations and developers relying on automated updates are now under pressure to review and merge this security patch. Failure to update leaves systems exposed to potential exploitation where user-controlled zip files are processed, a common scenario in file upload features. This incident highlights the persistent security challenges in open-source software maintenance and the critical importance of swift dependency patching.