## Critical Security Flaw in Python Requests Library (CVE-2026-25645) Exposes Systems to Local Attack
A critical security vulnerability, tracked as CVE-2026-25645, has been disclosed in the ubiquitous Python `requests` library. The flaw resides in a utility function that handles zip file extraction, creating a predictable path for attackers to exploit. This vulnerability allows a local attacker with write access to the system's temporary directory to potentially execute arbitrary code by planting a malicious file that the library will reuse without validation.

The vulnerability is specifically located within the `requests.utils.extract_zipped_paths()` function. When this function extracts files from a zip archive, it uses a predictable filename and places it in the system's temporary directory. The critical failure is that if a file with that predictable name already exists at the target location, the function will reuse it without performing any security checks. This predictable behavior opens a clear path for a local attacker to stage a malicious payload that the `requests` library will then execute.

The maintainers of the `requests` library have released version 2.33.0 to patch this vulnerability. The update is being flagged as a high-priority security fix across dependency management platforms like Renovate. This flaw underscores the persistent risk in foundational software components, where a single utility function in a library used by millions of applications can become a systemic security liability. Developers and system administrators are under immediate pressure to update their dependencies to the patched version to mitigate this local privilege escalation risk.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, software vulnerability, python, CVE-2026-25645, supply chain risk
- **Credibility**: unverified
- **Published**: 2026-03-26 15:27:20
- **ID**: 35703
- **URL**: https://whisperx.ai/en/intel/35703