Skip to content

Update dependency requests to v2.33.0 [SECURITY]#27

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-requests-vulnerability
Open

Update dependency requests to v2.33.0 [SECURITY]#27
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-requests-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 31, 2026

Copy link
Copy Markdown

This PR contains the following updates:

Package Change Age Confidence
requests (changelog) 2.32.52.33.0 age confidence

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

CVE-2026-25645 / GHSA-gc5v-m9x4-r6x2

More information

Details

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

psf/requests (requests)

v2.33.0

Compare Source

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that
    uses Requests, please take a look at #​7271. Give it a try, and report
    any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
    contents to a non-deterministic location to prevent malicious file
    replacement. This does not affect default usage of Requests, only
    applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause
    malformed authentication to be applied to Requests on
    Python 3.11+. (#​7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

  • Various typo fixes and doc improvements.

Configuration

📅 Schedule: (in timezone Etc/UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 564e687 to 5a9add5 Compare May 12, 2026 15:21
@renovate
renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch 2 times, most recently from fe01701 to 0794b49 Compare May 28, 2026 08:54
@renovate
renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from 0794b49 to faba588 Compare June 17, 2026 15:48
@renovate
renovate Bot force-pushed the renovate/pypi-requests-vulnerability branch from faba588 to 36de548 Compare July 15, 2026 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants