Skip to content

security(pip_requirements): 🛡️ minor dependency to v2.33.0#40

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/vulnerability-medium
Open

security(pip_requirements): 🛡️ minor dependency to v2.33.0#40
renovate[bot] wants to merge 1 commit intomainfrom
renovate/vulnerability-medium

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 25, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
requests (changelog) ==2.32.4==2.33.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2026-25645

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

CVE-2026-25645 / GHSA-gc5v-m9x4-r6x2

More information

Details

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

psf/requests (requests)

v2.33.0

Compare Source

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that
    uses Requests, please take a look at #​7271. Give it a try, and report
    any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
    contents to a non-deterministic location to prevent malicious file
    replacement. This does not affect default usage of Requests, only
    applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause
    malformed authentication to be applied to Requests on
    Python 3.11+. (#​7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

  • Various typo fixes and doc improvements.

v2.32.5

Compare Source

Bugfixes

  • The SSLContext caching feature originally introduced in 2.32.0 has created
    a new class of issues in Requests that have had negative impact across a number
    of use cases. The Requests team has decided to revert this feature as long term
    maintenance of it is proving to be unsustainable in its current iteration.

Deprecations

  • Added support for Python 3.14.
  • Dropped support for Python 3.8 following its end of support.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner March 25, 2026 21:28
@renovate renovate bot requested a review from pacificcode March 25, 2026 21:28
@renovate renovate bot enabled auto-merge (squash) March 25, 2026 21:28
@snyk-io
Copy link
Copy Markdown
Contributor

snyk-io bot commented Mar 25, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@pacificcode pacificcode Awaiting requested review from pacificcode pacificcode is a code owner automatically assigned from DelineaXPM/dsv-contributors

At least 1 approving review is required to merge this pull request.

Assignees

@renovate renovate[bot]

Labels

dependencies ignore-stale security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants