Python Requests Library Security Flaw: CVE-2026-25645 Exposes Temp Directory Hijack Risk

A critical security vulnerability has been disclosed in the ubiquitous Python `requests` library, exposing a path traversal and file hijack risk within its internal file extraction utility. The flaw, tracked as CVE-2026-25645, resides in the `requests.utils.extract_zipped_paths()` function. This utility uses a predictable filename when extracting files from zip archives into the system's temporary directory. Crucially, if a file with that predictable name already exists in the temp directory, the function will reuse it without performing any validation of its contents or origin.

This design creates a clear attack vector for a local attacker who has write access to the temporary directory. By pre-creating a malicious file with the predictable name, the attacker can hijack the extraction process. When the vulnerable function is called, it would unknowingly load and execute the attacker's pre-placed file instead of the legitimate archive contents. The Python Software Foundation (PSF), which maintains the `requests` library, has released version 2.33.0 to patch this vulnerability, upgrading from the affected version 2.32.5.

The immediate pressure is on developers and system administrators to apply the patch. The `requests` library is a foundational dependency for millions of Python applications, scripts, and automated systems, making the potential exposure surface vast. While the attack requires local access, it escalates privilege risks in multi-user environments, shared hosting, and containerized systems where temporary directories might be less isolated. Automated dependency management tools like Renovate are already flagging this as a priority security update, signaling the need for rapid deployment to close this predictable-path hijack window.