Python Requests Library Security Flaw: CVE-2026-25645 Exposes Temp Directory Hijack Risk

A critical security vulnerability has been disclosed in the widely-used Python `requests` library, tracked as CVE-2026-25645. The flaw resides in the `requests.utils.extract_zipped_paths()` utility function, which uses a predictable filename when extracting files from zip archives into the system's temporary directory. This predictable behavior creates a race condition: if a target file already exists in the temp directory, the function reuses it without performing any validation. This opens a direct path for a local attacker with write access to the shared temporary directory to plant malicious files that could be executed in place of legitimate ones.

The vulnerability is present in versions prior to 2.33.0. The Python Software Foundation (PSF), which maintains the `requests` library, has released version 2.33.0 to patch this security hole. The update is classified as a security fix, and the associated GitHub security advisory (GHSA-gc5v-m9x4-r6x2) provides the official details. The flaw's impact is significant because it targets a fundamental utility function in one of the most ubiquitous Python packages, used by millions of applications for HTTP operations.

This vulnerability underscores a persistent class of security risks related to insecure temporary file handling. While exploitation requires local access to the temp directory, the sheer scale of `requests` deployment means the attack surface is vast, affecting web applications, DevOps tooling, data pipelines, and countless automated scripts. Developers and system administrators are under immediate pressure to update their dependencies to `requests>=2.33.0` to mitigate the risk of local privilege escalation or code execution via file hijacking.