## Critical Security Flaw in Python 'requests' Library (CVE-2026-25645) Exposes Systems to Local Attack A critical security vulnerability has been disclosed in the ubiquitous Python `requests` library, a foundational component for web communication in millions of applications. The flaw, tracked as CVE-2026-25645, resides in a utility function and creates a path for a local attacker to potentially compromise system integrity. This is not a remote code execution flaw, but its presence in such a core and widely deployed package elevates its significance across the software supply chain. The vulnerability is specifically located within the `requests.utils.extract_zipped_paths()` function. The security advisory details that this function uses a predictable filename when extracting files from zip archives into the system's temporary directory. Crucially, if a file with that predictable name already exists in the temp directory, the function will reuse it without performing any validation. This design flaw opens a window for a local attacker who has write access to the temporary directory. By planting a malicious file with the anticipated name, they could potentially trick the `requests` library into executing or processing unintended code or data when the vulnerable function is invoked. The immediate pressure is on development and security teams to assess their dependency trees and apply the patched version, `requests v2.33.0`. The update is marked as addressing this security issue. Given the library's massive adoption, the ripple effect of this CVE is substantial, prompting urgent scrutiny of deployment pipelines and container images. While the attack requires local access, the flaw underscores the persistent risks in foundational open-source components and the critical need for automated dependency management to swiftly mitigate such exposures. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, software supply chain, python, vulnerability, CVE-2026-25645 - **Credibility**: unverified - **Published**: 2026-04-13 18:22:53 - **ID**: 62431 - **URL**: https://whisperx.ai/en/intel/62431