Bug 2451408 (CVE-2026-25645)

Summary: CVE-2026-25645 requests: Requests: Security bypass due to predictable temporary file creation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, adinn, adudiak, alinfoot, alizardo, anpicker, anthomas, aprice, bbrownin, bdettelb, bparees, brasmith, caswilli, cmyers, cochase, crizzo, derez, dfreiber, dnakabaa, doconnor, dranck, drow, dschmidt, dtrifiro, dymurray, ebourniv, eglynn, ehelms, erezende, fzakkak, galder, ggainey, hasun, ibolton, jburrell, jcantril, jchui, jdobes, jfula, jhe, jjoyce, jkoehler, jlanda, jmatthew, jmitchel, jmontleo, jowilson, jsamir, juwatts, jwong, kaycoth, kbempah, kgaikwad, kshier, ktsao, lball, lcouzens, lgallett, lichen, ljawale, lphiri, luizcosta, mbabacek, mbarnett, mburns, mgarciac, mhayden, mhulan, mrunge, nboldt, ngough, nmoumoul, nweather, nyancey, oezr, olubyans, omaciel, ometelka, orabin, osousa, pakotvan, pbohmill, pcreech, pgaikwad, pjindal, psrna, ptisnovs, rbobbitt, rbryant, rchan, rjohnson, rojacob, sbiarozk, sbunciak, sdoran, sgehwolf, simaishi, slucidi, smallamp, smcdonal, solenoci, sseago, stcannon, sthirugn, syedriko, teagle, tmalecek, tqvarnst, ttakamiy, veshanka, vimartin, vkumar, weaton, xdharmai, xialiu, xiaoxwan, yguenane, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the `requests` HTTP library, specifically in the `requests.utils.extract_zipped_paths()` function, which is used to load Certificate Authority (CA) bundles. A local attacker can exploit this vulnerability by pre-creating a malicious CA bundle file in the system's temporary directory. When a vulnerable application initializes the `requests` library, it may load this malicious file instead of the legitimate CA bundle, leading to a bypass of security controls and potential integrity compromise.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2452324, 2452325, 2452326, 2452327, 2452328    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-25 18:02:22 UTC 
Requests is a HTTP library. Prior to version 2.33.0, the function `requests.utils.extract_zipped_paths()` (which is used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` package's zipapp structure) uses a predictable, non-unique filename (the basename of the file, e.g., `cacert.pem`) when attempting to extract files into the system's temporary directory (`/tmp`). The vulnerable logic performs a check to see if the target file already exists in `/tmp` and re-uses the existing file if found, instead of securely checking the file's content or ensuring atomic, unique extraction. This allows a Local Attacker to pre-create a malicious CA bundle file (e.g., `/tmp/cacert.pem`) before a vulnerable application (running with potentially higher privileges) initializes the `requests` library. Version 2.33.0 contains a patch.