Splat Dependency Update: Requests Library Patches Critical Local File Overwrite Vulnerability

An automated dependency update for the Splat project has patched a critical security vulnerability in the widely-used Python `requests` library. The flaw, tracked in version 2.32.4, allowed a local attacker to hijack file extraction processes, potentially loading malicious code in place of legitimate files. The update to version 2.33.0 is a direct security remediation, forcing the library to use non-deterministic file paths to block this attack vector.

The vulnerability specifically resided in the `requests.utils.extract_zipped_paths()` utility function. When extracting files from a zip archive into the system's temporary directory, the function used a predictable filename. If a file with that name already existed in the temp directory, it would be reused without any validation. This created a race condition where an attacker with write access to the temp directory could pre-create a malicious file, which would then be loaded by the application. Crucially, the Requests library maintainers note that standard usage of the library is not affected; only applications that directly call this specific utility function are at risk.

This patch highlights the persistent and subtle risks in software supply chains, even within foundational libraries considered stable. For projects like Splat that rely on automated dependency management, such updates are a frontline defense against potential compromise. The remediation advice is clear: upgrade to Requests 2.33.0 or later. For teams unable to upgrade immediately, a workaround involves setting the `TMPDIR` environment variable to a secure, controlled location, though this is a mitigation, not a fix. The incident underscores the importance of monitoring automated security updates, as they often contain critical fixes for vulnerabilities that may not be widely publicized but could be exploited in targeted environments.