Skip to main content

Red Hat EUVDEUVD-2026-15754

| CVE-2026-25645 MEDIUM
Insecure Temporary File (CWE-377)
2026-03-25 https://github.com/psf/requests GHSA-gc5v-m9x4-r6x2
4.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.4 MEDIUM
AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.7 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 25, 2026 - 17:01 euvd
EUVD-2026-15754
Analysis Generated
Mar 25, 2026 - 17:01 vuln.today
Patch released
Mar 25, 2026 - 17:01 nvd
Patch available
CVE Published
Mar 25, 2026 - 16:56 nvd
MEDIUM 4.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 309 pypi packages depend on requests (191 direct, 120 indirect)

Ecosystem-wide dependent count for version 2.33.0.

DescriptionGitHub Advisory

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

AnalysisAI

The Requests library before version 2.33.0 contains a predictable temporary file extraction vulnerability in the extract_zipped_paths() utility function that allows local attackers to perform file injection attacks. An attacker with write access to the system temporary directory can pre-create a malicious file at a predictable location that will be loaded instead of the legitimate extracted file, potentially leading to code execution or privilege escalation. This vulnerability only affects applications that directly call the vulnerable utility function, as standard Requests library usage is not impacted.

Technical ContextAI

The Requests library (CPE: pkg:pip/requests) provides a utility function extract_zipped_paths() that extracts files from ZIP archives to the system temporary directory. The vulnerability root cause is classified as CWE-377 (Insecure Temporary File), stemming from the use of predictable filenames during extraction without subsequent validation of file integrity or ownership. When extracting zip contents, the function does not generate cryptographically secure or non-deterministic temporary file names, allowing an attacker who has write permissions to the temp directory (typically /tmp on Unix systems or %TEMP% on Windows) to pre-stage a malicious file that will be reused when the legitimate extraction is attempted. The issue is particularly dangerous in multi-user systems or containerized environments where temporary directory access may be shared or predictable.

RemediationAI

Upgrade Requests to version 2.33.0 or later immediately for any application that uses the extract_zipped_paths() utility function. This can be done via pip install --upgrade requests>=2.33.0 or by updating dependency management configurations (requirements.txt, setup.py, pyproject.toml). For applications unable to upgrade immediately, set the TMPDIR environment variable to point to a directory with restricted write access (readable and writable only by the application's user account), which will cause temporary file extraction to occur in a protected location that local attackers cannot pre-stage files in. Review application code for direct usage of requests.utils.extract_zipped_paths() and consider refactoring to use zipfile or tarfile standard library modules with explicit temporary directory management. See vendor advisory at https://github.com/psf/requests/releases/tag/v2.33.0 for release notes.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

EUVD-2026-15754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy