CVE-2026-25645 (Medium) detected in requests-2.24.0-py2.py3-none-any.whl #148
Description
CVE-2026-25645 - Medium Severity Vulnerability
Vulnerable Library - requests-2.24.0-py2.py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/45/1e/0c169c6a5381e241ba7404532c16a21d86ab872c9bed8bdcd4c423954103/requests-2.24.0-py2.py3-none-any.whl
Path to dependency file: /day70/requirements.txt
Path to vulnerable library: /day70/requirements.txt
Dependency Hierarchy:
- ❌ requests-2.24.0-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: c88b9429eb68a85b22f0e39cac7bf20b89cb6709
Found in base branch: master
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the function "requests.utils.extract_zipped_paths()" (which is used by "HTTPAdapter.cert_verify()" to load the CA bundle, often from the "certifi" package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., "cacert.pem") when attempting to extract files into the system's temporary directory ("/tmp"). The vulnerable logic performs a check to see if the target file already exists in "/tmp" and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., "/tmp/cacert.pem") before a vulnerable application (running with potentially higher privileges) initializes the "requests" library. Version 2.33.0 contains a patch.
Publish Date: 2026-03-25
URL: CVE-2026-25645
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Step up your Open Source Security Game with Mend here