## Requests Python Library Patches Critical Zip Slip Vulnerability (CVE-2026-25645) A critical security flaw in the ubiquitous Python `requests` library has been patched, exposing countless applications to a local file overwrite attack. The vulnerability, tracked as CVE-2026-25645, resides in the `requests.utils.extract_zipped_paths()` utility function. This function extracts files from zip archives into the system's temporary directory but uses a predictable filename. Crucially, if a file with that name already exists in the temp directory, the function reuses it without any validation. This creates a classic Zip Slip-style vector, allowing a local attacker with write access to the shared temporary directory to plant a malicious file that would be executed or used in place of the legitimate one. The flaw was addressed in version 2.33.0 of the `requests` library, released by the Python Software Foundation (PSF). The update changes the function's behavior to use a securely randomized temporary filename, eliminating the predictable path issue. The vulnerability's impact is significant due to `requests` being one of the most downloaded Python packages globally, forming the backbone of HTTP communication for millions of applications, scripts, and cloud services. Any codebase using this utility function for processing zip files from untrusted sources was potentially at risk. The patch was delivered via an automated dependency update pull request from RenovateBot, which was subsequently merged and autoclosed. While the fix is now available, the real-world risk hinges on widespread and prompt adoption. Development and security teams must immediately upgrade their dependencies to `requests>=2.33.0`. The lingering exposure period for unpatched systems, especially in shared or containerized environments where the `/tmp` directory is accessible, could be exploited for privilege escalation or code execution. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, python, software supply chain, vulnerability, CVE-2026-25645 - **Credibility**: unverified - **Published**: 2026-04-15 13:22:58 - **ID**: 65639 - **URL**: https://whisperx.ai/en/intel/65639