{"id":"UBUNTU-CVE-2026-25645","details":"Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.","modified":"2026-05-29T10:45:28.965284883Z","published":"2026-03-25T17:16:00Z","upstream":["CVE-2026-25645"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-25645"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2026-25645"},{"type":"REPORT","url":"https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2"}],"affected":[{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-infra-legacy%2Ftrusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4.1-2","1.5.4-1","1.5.4-1ubuntu1","1.5.4-1ubuntu3","1.5.4-1ubuntu4","1.5.4-1ubuntu4+esm1","1.5.4-1ubuntu4+esm2","1.5.4-1ubuntu4+esm3","1.5.4-1ubuntu4+esm4","1.5.4-1ubuntu4+esm5"],"ecosystem_specific":{"binaries":[{"binary_name":"python-pip","binary_version":"1.5.4-1ubuntu4+esm5"},{"binary_name":"python-pip-whl","binary_version":"1.5.4-1ubuntu4+esm5"},{"binary_name":"python3-pip","binary_version":"1.5.4-1ubuntu4+esm5"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"requests","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/requests?arch=source&distro=esm-infra-legacy%2Ftrusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.2.3-1","2.0.0-1","2.2.1-1","2.2.1-1ubuntu0.1","2.2.1-1ubuntu0.2","2.2.1-1ubuntu0.3","2.2.1-1ubuntu0.4","2.2.1-1ubuntu0.4+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"python-requests","binary_version":"2.2.1-1ubuntu0.4+esm1"},{"binary_name":"python-requests-whl","binary_version":"2.2.1-1ubuntu0.4+esm1"},{"binary_name":"python3-requests","binary_version":"2.2.1-1ubuntu0.4+esm1"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"requests","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/requests?arch=source&distro=esm-infra%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.7.0-3","2.8.1-1","2.9.1-1ubuntu1","2.9.1-2","2.9.1-3","2.9.1-3ubuntu0.1","2.9.1-3ubuntu0.1+esm1","2.9.1-3ubuntu0.1+esm2"],"ecosystem_specific":{"binaries":[{"binary_name":"python-requests","binary_version":"2.9.1-3ubuntu0.1+esm2"},{"binary_name":"python3-requests","binary_version":"2.9.1-3ubuntu0.1+esm2"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fxenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5.6-7ubuntu1","1.5.6-7ubuntu2","8.0.2-7","8.0.3-1","8.0.3-2","8.1.0-1","8.1.0-2","8.1.1-1","8.1.1-2","8.1.1-2ubuntu0.1","8.1.1-2ubuntu0.2","8.1.1-2ubuntu0.4","8.1.1-2ubuntu0.6","8.1.1-2ubuntu0.6+esm2","8.1.1-2ubuntu0.6+esm3","8.1.1-2ubuntu0.6+esm4","8.1.1-2ubuntu0.6+esm5","8.1.1-2ubuntu0.6+esm6","8.1.1-2ubuntu0.6+esm8","8.1.1-2ubuntu0.6+esm10","8.1.1-2ubuntu0.6+esm11","8.1.1-2ubuntu0.6+esm12"],"ecosystem_specific":{"binaries":[{"binary_name":"python-pip","binary_version":"8.1.1-2ubuntu0.6+esm12"},{"binary_name":"python-pip-whl","binary_version":"8.1.1-2ubuntu0.6+esm12"},{"binary_name":"python3-pip","binary_version":"8.1.1-2ubuntu0.6+esm12"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"requests","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/requests?arch=source&distro=esm-infra%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.18.1-1","2.18.4-1","2.18.4-2","2.18.4-2ubuntu0.1","2.18.4-2ubuntu0.1+esm1","2.18.4-2ubuntu0.1+esm2"],"ecosystem_specific":{"binaries":[{"binary_name":"python-requests","binary_version":"2.18.4-2ubuntu0.1+esm2"},{"binary_name":"python3-requests","binary_version":"2.18.4-2ubuntu0.1+esm2"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.0.1-2","9.0.1-2.3~ubuntu1","9.0.1-2.3~ubuntu1.18.04.1","9.0.1-2.3~ubuntu1.18.04.2","9.0.1-2.3~ubuntu1.18.04.3","9.0.1-2.3~ubuntu1.18.04.4","9.0.1-2.3~ubuntu1.18.04.5","9.0.1-2.3~ubuntu1.18.04.5+esm2","9.0.1-2.3~ubuntu1.18.04.5+esm3","9.0.1-2.3~ubuntu1.18.04.6","9.0.1-2.3~ubuntu1.18.04.6+esm1","9.0.1-2.3~ubuntu1.18.04.7","9.0.1-2.3~ubuntu1.18.04.7+esm1","9.0.1-2.3~ubuntu1.18.04.8","9.0.1-2.3~ubuntu1.18.04.8+esm1","9.0.1-2.3~ubuntu1.18.04.8+esm2","9.0.1-2.3~ubuntu1.18.04.8+esm4","9.0.1-2.3~ubuntu1.18.04.8+esm6","9.0.1-2.3~ubuntu1.18.04.8+esm7","9.0.1-2.3~ubuntu1.18.04.8+esm8"],"ecosystem_specific":{"binaries":[{"binary_name":"python-pip","binary_version":"9.0.1-2.3~ubuntu1.18.04.8+esm8"},{"binary_name":"python-pip-whl","binary_version":"9.0.1-2.3~ubuntu1.18.04.8+esm8"},{"binary_name":"python3-pip","binary_version":"9.0.1-2.3~ubuntu1.18.04.8+esm8"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"requests","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/requests?arch=source&distro=esm-infra%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.21.0-1","2.22.0-2build1","2.22.0-2ubuntu1","2.22.0-2ubuntu1.1","2.22.0-2ubuntu1.1+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-requests","binary_version":"2.22.0-2ubuntu1.1+esm1"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["18.1-5","18.1-5build1","18.1-5ubuntu1","20.0.2-2","20.0.2-4","20.0.2-5","20.0.2-5ubuntu1","20.0.2-5ubuntu1.1","20.0.2-5ubuntu1.3","20.0.2-5ubuntu1.4","20.0.2-5ubuntu1.5","20.0.2-5ubuntu1.6","20.0.2-5ubuntu1.7","20.0.2-5ubuntu1.8","20.0.2-5ubuntu1.9","20.0.2-5ubuntu1.10","20.0.2-5ubuntu1.10+esm2","20.0.2-5ubuntu1.11","20.0.2-5ubuntu1.11+esm2","20.0.2-5ubuntu1.11+esm3","20.0.2-5ubuntu1.11+esm4"],"ecosystem_specific":{"binaries":[{"binary_name":"python-pip-whl","binary_version":"20.0.2-5ubuntu1.11+esm4"},{"binary_name":"python3-pip","binary_version":"20.0.2-5ubuntu1.11+esm4"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"requests","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/requests?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.25.1+dfsg-2","2.25.1+dfsg-2ubuntu0.1","2.25.1+dfsg-2ubuntu0.3"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-requests","binary_version":"2.25.1+dfsg-2ubuntu0.3"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["20.3.4-4","21.3.1+dfsg-3","22.0.2+dfsg-1","22.0.2+dfsg-1ubuntu0.1","22.0.2+dfsg-1ubuntu0.2","22.0.2+dfsg-1ubuntu0.3","22.0.2+dfsg-1ubuntu0.4","22.0.2+dfsg-1ubuntu0.5","22.0.2+dfsg-1ubuntu0.6","22.0.2+dfsg-1ubuntu0.7","22.0.2+dfsg-1ubuntu0.7+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-pip","binary_version":"22.0.2+dfsg-1ubuntu0.7+esm1"},{"binary_name":"python3-pip-whl","binary_version":"22.0.2+dfsg-1ubuntu0.7+esm1"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"requests","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/requests?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.31.0+dfsg-1ubuntu1","2.31.0+dfsg-1ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-requests","binary_version":"2.31.0+dfsg-1ubuntu1.1"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["23.2+dfsg-1","23.3+dfsg-1","24.0+dfsg-1","24.0+dfsg-1ubuntu1","24.0+dfsg-1ubuntu1.1","24.0+dfsg-1ubuntu1.2","24.0+dfsg-1ubuntu1.3","24.0+dfsg-1ubuntu1.3+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-pip","binary_version":"24.0+dfsg-1ubuntu1.3+esm1"},{"binary_name":"python3-pip-whl","binary_version":"24.0+dfsg-1ubuntu1.3+esm1"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["25.0+dfsg-1","25.1.1+dfsg-1","25.1.1+dfsg-1ubuntu1","25.1.1+dfsg-1ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-pip","binary_version":"25.1.1+dfsg-1ubuntu2"},{"binary_name":"python3-pip-whl","binary_version":"25.1.1+dfsg-1ubuntu2"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"requests","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/requests?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.32.3+dfsg-4ubuntu1","2.32.3+dfsg-5ubuntu1","2.32.3+dfsg-5ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-requests","binary_version":"2.32.3+dfsg-5ubuntu2"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"requests","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/requests?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.32.3+dfsg-5ubuntu2","2.32.5+dfsg-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-requests","binary_version":"2.32.5+dfsg-1ubuntu1"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}},{"package":{"name":"python-pip","ecosystem":"Ubuntu:Pro:26.04:LTS","purl":"pkg:deb/ubuntu/python-pip?arch=source&distro=esm-apps%2Fresolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["25.1.1+dfsg-1ubuntu2","25.1.1+dfsg-1ubuntu2+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"python3-pip","binary_version":"25.1.1+dfsg-1ubuntu2+esm1"},{"binary_name":"python3-pip-whl","binary_version":"25.1.1+dfsg-1ubuntu2+esm1"}],"priority_reason":"Nothing in Ubuntu uses the affected function directly"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-25645.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"low"}]}