## Critical Security Flaw in Python 'requests' Library (CVE-2026-25645) Exposes Systems to Local Attack A critical security vulnerability has been disclosed in the ubiquitous Python `requests` library, a foundational component for web communication in millions of applications. The flaw, tracked as CVE-2026-25645, resides in a utility function and creates a direct path for a local attacker to compromise system integrity. This is not a theoretical remote exploit but a tangible local attack vector that could be leveraged in multi-user environments or through other initial access methods. The vulnerability is specifically located within the `requests.utils.extract_zipped_paths()` function. This utility, used for handling zip archives, employs a predictable filename when extracting files into the system's temporary directory. The critical failure is that if a file with that predictable name already exists in the temp directory, the function will blindly reuse it without performing any validation of its contents or origin. This design flaw allows a malicious actor with write access to the temporary directory to plant a malicious file with the expected name, which will then be executed or processed by the vulnerable application. The impact is significant due to the `requests` library's near-universal adoption across the Python ecosystem, from web frameworks and APIs to data science tools and DevOps scripts. Any application using this library's zip extraction functionality is potentially at risk. The disclosure has triggered immediate action in the open-source community, with an automated dependency update (Renovate Bot) already proposing an upgrade from version 2.32.5 to the patched 2.33.0. System administrators and developers must prioritize this update to close a window for local privilege escalation or code execution attacks. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, python, vulnerability, CVE-2026-25645, supply-chain - **Credibility**: unverified - **Published**: 2026-04-19 21:22:32 - **ID**: 71406 - **URL**: https://whisperx.ai/en/intel/71406