Vulnerable Library - requests-2.32.5-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl
Path to dependency file: /dev-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/58/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/67/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/20/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/57/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/80/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/69/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/68/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/56/requests-2.32.5-py3-none-any.whl
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-25645
Vulnerable Library - requests-2.32.5-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl
Path to dependency file: /dev-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/58/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/67/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/20/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/57/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/80/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/69/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/68/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/56/requests-2.32.5-py3-none-any.whl
Dependency Hierarchy:
- ❌ requests-2.32.5-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.
Publish Date: 2026-03-25
URL: CVE-2026-25645
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/psf/requests.git - v2.33.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl
Path to dependency file: /dev-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/58/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/67/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/20/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/57/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/80/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/69/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/68/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/56/requests-2.32.5-py3-none-any.whl
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - requests-2.32.5-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl
Path to dependency file: /dev-requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/58/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/67/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/20/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/57/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/80/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/69/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/68/requests-2.32.5-py3-none-any.whl,/tmp/ws-ua_20260217194741_QDCSVR/python_LPKUNC/20260217194742/56/requests-2.32.5-py3-none-any.whl
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.
Publish Date: 2026-03-25
URL: CVE-2026-25645
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-25
Fix Resolution: https://github.com/psf/requests.git - v2.33.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.