PyPI: requests
CVE-2026-25645
Safety vulnerability ID: SFTY-20260325-45555
Safety legacy ID: pyup.io-90553
Affected versions of the requests package are vulnerable to Insecure Temporary File reuse due to predictable temporary filename generation in extract_zipped_paths(). The requests.utils.extract_zipped_paths() utility extracts files from zip archives into the system temporary directory using a deterministic path, and if that file already exists, the function reuses it without validating that it is the expected extracted content.
Overview
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Advisory
Affected versions of the requests package are vulnerable to Insecure Temporary File reuse due to predictable temporary filename generation in extract_zipped_paths(). The requests.utils.extract_zipped_paths() utility extracts files from zip archives into the system temporary directory using a deterministic path, and if that file already exists, the function reuses it without validating that it is the expected extracted content.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260325-45555/CVE-2026-25645
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25645
- https://data.safetycli.com/changelogs/requests/
- https://github.com/advisories/GHSA-gc5v-m9x4-r6x2
- https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7
- https://pypi.org/project/requests
- https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2
- https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7
- https://github.com/psf/requests/releases/tag/v2.33.0
- https://nvd.nist.gov/vuln/detail/CVE-2026-25645
- https://github.com/advisories/GHSA-gc5v-m9x4-r6x2
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more