requests-2.32.5-py3-none-any.whl: 1 vulnerabilities (highest severity is: 4.4)

[mend-bolt-for-github]

Vulnerable Library - requests-2.32.5-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl

Path to dependency file: /SuperCluster/macOS/Python/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info

Found in HEAD commit: bf9b5034b2c35dc796e701683484607b4e0bbde4

Vulnerabilities

Vulnerability	Severity	CVSS	Dependency	Type	Fixed in (requests version)	Remediation Possible**
CVE-2026-25645	Medium	4.4	requests-2.32.5-py3-none-any.whl	Direct	https://github.com/psf/requests.git - v2.33.0	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2026-25645

Vulnerable Library - requests-2.32.5-py3-none-any.whl

Python HTTP for Humans.

Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl

Path to dependency file: /SuperCluster/macOS/Python/requirements.txt

Path to vulnerable library: /tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info,/tmp/ws-ua_20260325185413_DRVGIN/python_CCRPUY/202603251915401/env/lib/python3.9/site-packages/requests-2.32.5.dist-info

Dependency Hierarchy:

• ❌ requests-2.32.5-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: bf9b5034b2c35dc796e701683484607b4e0bbde4

Found in base branch: master

Vulnerability Details

Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.

Publish Date: 2026-03-25

URL: CVE-2026-25645

CVSS 3 Score Details (4.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-25

Fix Resolution: https://github.com/psf/requests.git - v2.33.0

Step up your Open Source Security Game with Mend here

[secure-code-warrior-for-github]

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Library"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try a challenge in Secure Code Warrior