2026-03-25 17:02:48
GitHub_M
PUBLISHED
Requests is a HTTP library. Prior to version 2.33.0, the function `requests.utils.extract_zipped_paths()` (which is used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` packages zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., `cacert.pem`) when attempting to extract files into the systems temporary directory (`/tmp`). The vulnerable logic performs a check to see if the target file already exists in `/tmp` and re-uses the existing file if found, instead of securely checking the files content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., `/tmp/cacert.pem`) before a vulnerable application (running with potentially higher privileges) initializes the `requests` library. Version 2.33.0 contains a patch.