Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function — CVE-2026-25645

Summary

Advisory CVE-2026-25645. Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function Vendor: Microsoft. Source: MSRC. Threat: medium. CVSS 4.4. See the official advisory for details.

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

• token leak with redirect and netrc CVE-2026-3783
• A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass CVE-2026-3591
• Authenticated query containing a TKEY record may cause named to terminate unexpectedly CVE-2026-3119
• Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching CVE-2026-33672
• python-ecdsa: Denial of Service via improper DER length validation in crafted private keys CVE-2026-33936
• etcd: Nested etcd transactions bypass RBAC authorization checks CVE-2026-33343
• Microsoft Edge (Chromium-based) Defense in Depth Vulnerability CVE-2026-32187
• Binutils: out-of-bounds read in xcoff relocation processing in gnu binutils bfd library CVE-2026-4647
• icmp: fix NULL pointer dereference in icmp_tag_validation() CVE-2026-23398
• Mariner CVE-2026-34085
• nfnetlink_osf: validate individual option lengths in fingerprints CVE-2026-23397
• NGINX ngx_stream_ssl_module vulnerability CVE-2026-28755