CVE-2026-25645 Overview
CVE-2026-25645 is an insecure temporary file vulnerability (CWE-377) affecting the Python Requests HTTP library. The requests.utils.extract_zipped_paths() utility function uses predictable filenames when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation, allowing a local attacker with write access to the temp directory to pre-create a malicious file that would be loaded in place of the legitimate one.
Critical Impact
Local attackers can achieve file replacement attacks by pre-creating malicious files in predictable temporary directory locations, potentially leading to code execution or data manipulation in applications that directly call extract_zipped_paths().
Affected Products
- Python Requests library versions prior to 2.33.0
- Applications directly calling requests.utils.extract_zipped_paths()
- Systems where local attackers have write access to the temporary directory
Discovery Timeline
- 2026-03-25 - CVE-2026-25645 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-25645
Vulnerability Analysis
This vulnerability stems from an insecure temporary file handling pattern (CWE-377: Insecure Temporary File) in the Requests library. The extract_zipped_paths() function extracts files from zip archives to the system's temporary directory using deterministic, predictable filenames. When a file with the expected name already exists in the temp directory, the function reuses it without performing any integrity validation or ownership checks.
This creates a Time-of-Check Time-of-Use (TOCTOU) race condition scenario where a local attacker who has gained write access to the system temporary directory (typically /tmp on Unix-like systems or %TEMP% on Windows) can pre-create files with the expected filenames containing malicious content. When the vulnerable application subsequently calls extract_zipped_paths(), it loads the attacker-controlled file instead of the legitimate extracted content.
It is important to note that standard usage of the Requests library for making HTTP requests is not affected by this vulnerability. Only applications that explicitly call the extract_zipped_paths() utility function directly are impacted.
Root Cause
The root cause is the use of predictable, deterministic filenames when extracting files to the system temporary directory, combined with the absence of validation when reusing existing files. The function fails to implement secure temporary file practices such as using randomized filenames, verifying file ownership, or checking file integrity before use.
Attack Vector
Exploitation requires local access to the target system with write permissions to the temporary directory. The attacker must:
- Identify an application that directly calls requests.utils.extract_zipped_paths()
- Determine the predictable filename pattern used by the function
- Pre-create a malicious file with the expected filename in the temp directory
- Wait for or trigger the vulnerable application to extract files, causing it to load the attacker's malicious file
The attack is limited to local exploitation scenarios and requires the attacker to already have some level of system access. The vulnerability affects file integrity rather than confidentiality or availability.
Detection Methods for CVE-2026-25645
Indicators of Compromise
- Unexpected files appearing in system temporary directories matching extraction patterns used by the Requests library
- Files in /tmp or %TEMP% directories owned by different users than the running application
- Suspicious file modifications in temporary directories with timestamps preceding application execution
- Application logs indicating file loading from temp directories with unexpected content
Detection Strategies
- Monitor system temporary directories for file creation events from unauthorized users
- Implement file integrity monitoring on temporary directories used by critical applications
- Audit application code for direct usage of requests.utils.extract_zipped_paths()
- Review dependency versions to identify installations of Requests library below 2.33.0
Monitoring Recommendations
- Configure endpoint detection solutions to monitor for suspicious file activity in temporary directories
- Implement logging for all file operations in system temp directories by critical applications
- Set up alerts for file permission anomalies in temporary directories
- Use SentinelOne's behavioral AI to detect suspicious file replacement patterns in temp directories
How to Mitigate CVE-2026-25645
Immediate Actions Required
- Upgrade the Python Requests library to version 2.33.0 or later immediately
- Audit all applications for direct usage of requests.utils.extract_zipped_paths() function
- If unable to upgrade, set the TMPDIR environment variable to a directory with restricted write access
- Review and restrict write permissions on system temporary directories where possible
Patch Information
The vulnerability has been addressed in Requests version 2.33.0, which extracts files to non-deterministic locations. The fix is available via the GitHub commit 66d21cb07bd6255b1280291c4fafb71803cdb3b7. Users should upgrade to version 2.33.0 or later as documented in the official release notes. For additional details, refer to the GitHub Security Advisory GHSA-gc5v-m9x4-r6x2.
Workarounds
- Set the TMPDIR environment variable to point to a directory with restricted write access controlled by the application owner
- Implement application-level validation of extracted files before use
- Create a dedicated temporary directory with restricted permissions for each application
- Monitor and restrict access to system temporary directories at the OS level
# Configuration example - Set restricted temporary directory
export TMPDIR=/var/lib/myapp/secure_tmp
mkdir -p $TMPDIR
chmod 700 $TMPDIR
chown appuser:appgroup $TMPDIR
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
