Critical Security Flaw in Python 'requests' Library (CVE-2026-25645) Exposes Systems to Local Attack

A critical security vulnerability has been disclosed in the ubiquitous Python `requests` library, a foundational component for web communication in millions of applications. The flaw, tracked as CVE-2026-25645, resides in a utility function and creates a direct path for a local attacker to compromise system integrity. This is not a theoretical remote exploit; it requires local write access to the system's temporary directory, but the impact is severe, allowing for arbitrary code execution or data manipulation by hijacking predictable file operations.

The vulnerability is specifically located within the `requests.utils.extract_zipped_paths()` function. This utility, used for handling zip archives, extracts files into the system's temporary directory using a predictable naming scheme. The core failure is that if a file with the target name already exists in that directory, the function will blindly reuse it without performing any validation of its contents or origin. This creates a classic time-of-check to time-of-use (TOCTOU) race condition, where a malicious actor can plant a file with the expected name before the legitimate extraction occurs.

The immediate pressure is on developers and DevOps teams to apply the patched version, `requests v2.33.0`, which has been released to address this issue. The flaw underscores the hidden risks in even the most trusted and widely audited open-source dependencies. Organizations relying on automated dependency management tools like Renovate are now receiving urgent pull requests to upgrade. Failure to patch leaves any application using the vulnerable function exposed to local privilege escalation and supply chain attacks originating from compromised user accounts or automated processes with temp directory access.