Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Description
Requests is a HTTP library. Prior to version 2.33.0, the requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
requestsPyPI | < 2.33.0 | 2.33.0 |
Affected products
179- osv-coords178 versionspkg:apk/chainguard/airflow-2pkg:apk/chainguard/airflow-3pkg:apk/chainguard/airflow-core-2pkg:apk/chainguard/airflow-core-3pkg:apk/chainguard/ansible-operatorpkg:apk/chainguard/ansible-operator-fipspkg:apk/chainguard/apache-beam-python-3.11-sdkpkg:apk/chainguard/apache-beam-python-3.12-sdkpkg:apk/chainguard/apache-beam-python-3.13-sdkpkg:apk/chainguard/awxpkg:apk/chainguard/azpkg:apk/chainguard/azure-functions-host-python3.11-workerpkg:apk/chainguard/azure-functions-host-python3.12-workerpkg:apk/chainguard/azure-functions-host-python3.13-workerpkg:apk/chainguard/barman-cloudnative-pgpkg:apk/chainguard/checkovpkg:apk/chainguard/confluent-docker-utilspkg:apk/chainguard/dask-kubernetespkg:apk/chainguard/datadog-agent-7.71pkg:apk/chainguard/datadog-agent-7.71-core-integrationspkg:apk/chainguard/datadog-agent-7.72pkg:apk/chainguard/datadog-agent-7.73pkg:apk/chainguard/datadog-agent-7.74pkg:apk/chainguard/datadog-agent-7.74-core-integrationspkg:apk/chainguard/datadog-agent-7.75pkg:apk/chainguard/datadog-agent-7.76pkg:apk/chainguard/datadog-agent-7.76-core-integrationspkg:apk/chainguard/datadog-agent-7.77pkg:apk/chainguard/datadog-agent-7.77-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.71pkg:apk/chainguard/datadog-agent-fips-7.71-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.72pkg:apk/chainguard/datadog-agent-fips-7.73pkg:apk/chainguard/datadog-agent-fips-7.73-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.74pkg:apk/chainguard/datadog-agent-fips-7.74-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.75pkg:apk/chainguard/datadog-agent-fips-7.76pkg:apk/chainguard/datadog-agent-fips-7.76-core-integrationspkg:apk/chainguard/datadog-agent-fips-7.77pkg:apk/chainguard/datadog-agent-fips-7.77-core-integrationspkg:apk/chainguard/datahub-ingestionpkg:apk/chainguard/datahub-ingestion-fipspkg:apk/chainguard/dbt-bigquerypkg:apk/chainguard/dbt-corepkg:apk/chainguard/dbt-snowflakepkg:apk/chainguard/ggshieldpkg:apk/chainguard/gitlab-toolbox-ce-18.9pkg:apk/chainguard/gitlab-toolbox-ce-fips-18.9pkg:apk/chainguard/graalvm-25-graalpy-venvpkg:apk/chainguard/jupyter-base-notebookpkg:apk/chainguard/jwt-toolpkg:apk/chainguard/k8s-sidecarpkg:apk/chainguard/katib-earlystoppingpkg:apk/chainguard/katib-suggestion-hyperbandpkg:apk/chainguard/katib-suggestion-hyperoptpkg:apk/chainguard/katib-suggestion-nas-dartspkg:apk/chainguard/katib-suggestion-optuna-enaspkg:apk/chainguard/katib-suggestion-pbt-enaspkg:apk/chainguard/katib-suggestion-skopt-enaspkg:apk/chainguard/keep-apipkg:apk/chainguard/keep-api-fipspkg:apk/chainguard/kserve-storage-controllerpkg:apk/chainguard/kubeflow-jupyter-web-apppkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-volumes-web-apppkg:apk/chainguard/label-studiopkg:apk/chainguard/litellmpkg:apk/chainguard/localstackpkg:apk/chainguard/metaflow-servicepkg:apk/chainguard/metaflow-service-fipspkg:apk/chainguard/mlflowpkg:apk/chainguard/mlflow-iamguarded-compatpkg:apk/chainguard/nemopkg:apk/chainguard/opalpkg:apk/chainguard/opentelemetry-python-instrumentationpkg:apk/chainguard/open-webuipkg:apk/chainguard/pgadmin4pkg:apk/chainguard/pgadmin4-fipspkg:apk/chainguard/py3.10-ambassadorpkg:apk/chainguard/py3.10-pip-basepkg:apk/chainguard/py3.10-pipenvpkg:apk/chainguard/py3.11-ambassadorpkg:apk/chainguard/py3.11-pip-basepkg:apk/chainguard/py3.11-pipenvpkg:apk/chainguard/py3.11-prefectpkg:apk/chainguard/py3.11-prefect-fipspkg:apk/chainguard/py3.12-ambassadorpkg:apk/chainguard/py3.12-pip-basepkg:apk/chainguard/py3.12-pipenvpkg:apk/chainguard/py3.12-prefectpkg:apk/chainguard/py3.12-prefect-fipspkg:apk/chainguard/py3.13-ambassadorpkg:apk/chainguard/py3.13-pip-basepkg:apk/chainguard/py3.13-pipenvpkg:apk/chainguard/py3.13-prefectpkg:apk/chainguard/py3.13-prefect-fipspkg:apk/chainguard/py3.14-pip-basepkg:apk/chainguard/py3.14-prefectpkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/py3-hashinpkg:apk/chainguard/pypy-3.10pkg:apk/chainguard/pypy-3.11pkg:apk/chainguard/request-1276pkg:apk/chainguard/semgreppkg:apk/chainguard/spamcheckpkg:apk/chainguard/superset-5.0pkg:apk/chainguard/superset-6.0pkg:apk/chainguard/synapsepkg:apk/chainguard/tensorflow-cpu-jupyterpkg:apk/chainguard/tensorflow-gpu-jupyterpkg:apk/chainguard/text-generation-inferencepkg:apk/chainguard/tritonserver-backend-vllm-cuda-12.9pkg:apk/chainguard/vllm-openai-cuda-12.9pkg:apk/chainguard/wazuh-manager-frameworkpkg:apk/wolfi/airflow-3pkg:apk/wolfi/ansible-operatorpkg:apk/wolfi/azpkg:apk/wolfi/checkovpkg:apk/wolfi/confluent-docker-utilspkg:apk/wolfi/dask-kubernetespkg:apk/wolfi/datadog-agent-7.72pkg:apk/wolfi/datadog-agent-7.73pkg:apk/wolfi/datadog-agent-7.74pkg:apk/wolfi/datadog-agent-7.74-core-integrationspkg:apk/wolfi/datadog-agent-7.75pkg:apk/wolfi/datadog-agent-7.76pkg:apk/wolfi/datadog-agent-7.76-core-integrationspkg:apk/wolfi/datadog-agent-7.77pkg:apk/wolfi/datadog-agent-7.77-core-integrationspkg:apk/wolfi/ggshieldpkg:apk/wolfi/jupyter-base-notebookpkg:apk/wolfi/jwt-toolpkg:apk/wolfi/k8s-sidecarpkg:apk/wolfi/katib-earlystoppingpkg:apk/wolfi/katib-suggestion-hyperbandpkg:apk/wolfi/katib-suggestion-hyperoptpkg:apk/wolfi/katib-suggestion-nas-dartspkg:apk/wolfi/katib-suggestion-optuna-enaspkg:apk/wolfi/katib-suggestion-pbt-enaspkg:apk/wolfi/katib-suggestion-skopt-enaspkg:apk/wolfi/kserve-storage-controllerpkg:apk/wolfi/kubeflow-jupyter-web-apppkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-volumes-web-apppkg:apk/wolfi/mlflowpkg:apk/wolfi/mlflow-iamguarded-compatpkg:apk/wolfi/open-webuipkg:apk/wolfi/py3.10-ambassadorpkg:apk/wolfi/py3.10-pip-basepkg:apk/wolfi/py3.10-pipenvpkg:apk/wolfi/py3.11-ambassadorpkg:apk/wolfi/py3.11-pip-basepkg:apk/wolfi/py3.11-pipenvpkg:apk/wolfi/py3.12-ambassadorpkg:apk/wolfi/py3.12-pip-basepkg:apk/wolfi/py3.12-pipenvpkg:apk/wolfi/py3.13-ambassadorpkg:apk/wolfi/py3.13-pip-basepkg:apk/wolfi/py3.13-pipenvpkg:apk/wolfi/py3.14-pip-basepkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/pypy-3.10pkg:apk/wolfi/pypy-3.11pkg:apk/wolfi/semgreppkg:apk/wolfi/superset-5.0pkg:apk/wolfi/superset-6.0pkg:apk/wolfi/tensorflow-cpu-jupyterpkg:pypi/requestspkg:rpm/opensuse/python-requests&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-requests&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-requests&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012pkg:rpm/suse/python-requests&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-requests&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0pkg:rpm/suse/python-requests&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/python-requests&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/python-requests&distro=SUSE%20Linux%20Micro%206.1pkg:rpm/suse/python-requests&distro=SUSE%20Linux%20Micro%206.2
< 2.11.2-r5+ 177 more
- (no CPE)range: < 2.11.2-r5
- (no CPE)range: < 3.1.8-r10
- (no CPE)range: < 2.11.2-r3
- (no CPE)range: < 3.1.8-r3
- (no CPE)range: < 1.42.2-r2
- (no CPE)range: < 1.42.2-r2
- (no CPE)range: < 2.71.0-r8
- (no CPE)range: < 2.71.0-r2
- (no CPE)range: < 2.71.0-r2
- (no CPE)range: < 24.6.1-r33
- (no CPE)range: < 2.84.0-r4
- (no CPE)range: < 4.1048.200-r1
- (no CPE)range: < 4.1048.200-r1
- (no CPE)range: < 4.1048.200-r1
- (no CPE)range: < 3.18.0-r1
- (no CPE)range: < 3.2.511-r0
- (no CPE)range: < 0.0.169-r1
- (no CPE)range: < 2026.3.0-r2
- (no CPE)range: < 7.71.2-r17
- (no CPE)range: < 7.71.2-r17
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.74.1-r11
- (no CPE)range: < 7.74.1-r11
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.71.2-r10
- (no CPE)range: < 7.71.2-r10
- (no CPE)range: < 7.72.4-r15
- (no CPE)range: < 7.73.3-r7
- (no CPE)range: < 7.73.3-r7
- (no CPE)range: < 7.74.1-r7
- (no CPE)range: < 7.74.1-r7
- (no CPE)range: < 7.75.4-r5
- (no CPE)range: < 7.76.3-r6
- (no CPE)range: < 7.76.3-r6
- (no CPE)range: < 7.77.3-r7
- (no CPE)range: < 7.77.3-r7
- (no CPE)range: < 1.5.0.1-r0
- (no CPE)range: < 1.5.0.1-r0
- (no CPE)range: < 1.10.3-r1
- (no CPE)range: < 1.11.8-r0
- (no CPE)range: < 1.10.4-r2
- (no CPE)range: < 1.51.0-r3
- (no CPE)range: < 18.9.3-r1
- (no CPE)range: < 18.9.3-r1
- (no CPE)range: < 25.0.2-r10
- (no CPE)range: < 7.5.5-r1
- (no CPE)range: < 2.3.0-r5
- (no CPE)range: < 2.5.1-r3
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.51.0-r2
- (no CPE)range: < 0.51.0-r2
- (no CPE)range: < 0.16.0-r24
- (no CPE)range: < 1.10.0-r13
- (no CPE)range: < 2.16.0-r12
- (no CPE)range: < 1.10.0-r12
- (no CPE)range: < 1.23.0-r1
- (no CPE)range: < 1.82.3.0-r2
- (no CPE)range: < 4.14.0-r6
- (no CPE)range: < 2.5.0-r7
- (no CPE)range: < 2.5.0-r1
- (no CPE)range: < 3.10.1-r1
- (no CPE)range: < 3.10.1-r1
- (no CPE)range: < 2.7.3-r2
- (no CPE)range: < 0.9.4-r0
- (no CPE)range: < 0.60.1-r3
- (no CPE)range: < 0.9.2-r0
- (no CPE)range: < 9.13-r3
- (no CPE)range: < 9.13-r2
- (no CPE)range: < 3.10.0-r26
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 2026.6.0-r0
- (no CPE)range: < 3.10.0-r26
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 2026.6.0-r0
- (no CPE)range: < 3.6.23-r0
- (no CPE)range: < 3.6.23-r0
- (no CPE)range: < 3.10.0-r26
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 2026.6.0-r0
- (no CPE)range: < 3.6.23-r0
- (no CPE)range: < 3.6.23-r0
- (no CPE)range: < 3.10.0-r26
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 2026.6.0-r0
- (no CPE)range: < 3.6.23-r0
- (no CPE)range: < 3.6.23-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 3.6.23-r0
- (no CPE)range: < 0.28.0-r1
- (no CPE)range: < 1.0.5-r5
- (no CPE)range: < 7.3.19-r16
- (no CPE)range: < 7.3.22-r0
- (no CPE)range: < 0.27.1-r1
- (no CPE)range: < 1.157.0-r1
- (no CPE)range: < 3.5.3-r8
- (no CPE)range: < 5.0.0-r22
- (no CPE)range: < 6.0.0-r7
- (no CPE)range: < 1.151.0-r0
- (no CPE)range: < 2.21.0-r2
- (no CPE)range: < 2.21.0-r2
- (no CPE)range: < 3.3.7-r9
- (no CPE)range: < 25.9.0_git20260318-r0
- (no CPE)range: < 0.17.1-r1
- (no CPE)range: < 4.14.4-r1
- (no CPE)range: < 3.1.8-r10
- (no CPE)range: < 1.42.2-r2
- (no CPE)range: < 2.84.0-r4
- (no CPE)range: < 3.2.511-r0
- (no CPE)range: < 0.0.169-r1
- (no CPE)range: < 2026.3.0-r2
- (no CPE)range: < 7.72.4-r22
- (no CPE)range: < 7.73.3-r13
- (no CPE)range: < 7.74.1-r11
- (no CPE)range: < 7.74.1-r11
- (no CPE)range: < 7.75.4-r7
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.76.3-r15
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 7.77.3-r6
- (no CPE)range: < 1.51.0-r3
- (no CPE)range: < 7.5.5-r1
- (no CPE)range: < 2.3.0-r5
- (no CPE)range: < 2.5.1-r3
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r14
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.19.0-r13
- (no CPE)range: < 0.16.0-r24
- (no CPE)range: < 1.10.0-r13
- (no CPE)range: < 2.16.0-r12
- (no CPE)range: < 1.10.0-r12
- (no CPE)range: < 3.10.1-r1
- (no CPE)range: < 3.10.1-r1
- (no CPE)range: < 0.9.2-r0
- (no CPE)range: < 3.10.0-r26
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 2026.6.0-r0
- (no CPE)range: < 3.10.0-r26
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 2026.6.0-r0
- (no CPE)range: < 3.10.0-r26
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 2026.6.0-r0
- (no CPE)range: < 3.10.0-r26
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 2026.6.0-r0
- (no CPE)range: < 26.1.1-r0
- (no CPE)range: < 0.28.0-r1
- (no CPE)range: < 7.3.19-r16
- (no CPE)range: < 7.3.22-r0
- (no CPE)range: < 1.157.0-r1
- (no CPE)range: < 5.0.0-r22
- (no CPE)range: < 6.0.0-r7
- (no CPE)range: < 2.21.0-r2
- (no CPE)range: < 2.33.0
- (no CPE)range: < 2.32.4-160000.3.1
- (no CPE)range: < 2.33.0-1.1
- (no CPE)range: < 2.24.0-8.26.1
- (no CPE)range: < 2.32.4-160000.3.1
- (no CPE)range: < 2.32.4-160000.3.1
- (no CPE)range: < 2.24.0-8.26.1
- (no CPE)range: < 2.32.3-3.1
- (no CPE)range: < 2.32.4-slfo.1.1_2.1
- (no CPE)range: < 2.32.4-160000.3.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-gc5v-m9x4-r6x2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25645ghsaADVISORY
- github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7ghsax_refsource_MISCWEB
- github.com/psf/requests/releases/tag/v2.33.0ghsax_refsource_MISCWEB
- github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.