Skip to content

chore(deps): update dependency requests to v2.33.0 [security]#326

Merged
craigzour merged 1 commit intomainfrom
renovate/pypi-requests-vulnerability
Mar 26, 2026
Merged

chore(deps): update dependency requests to v2.33.0 [security]#326
craigzour merged 1 commit intomainfrom
renovate/pypi-requests-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Mar 25, 2026

This PR contains the following updates:

Package Change Age Confidence
requests (source, changelog) ==2.32.5==2.33.0 age confidence

Review

  • Updates have been tested and work
  • If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

CVE-2026-25645 / GHSA-gc5v-m9x4-r6x2

More information

Details

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

psf/requests (requests)

v2.33.0

Compare Source

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that
    uses Requests, please take a look at #​7271. Give it a try, and report
    any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
    contents to a non-deterministic location to prevent malicious file
    replacement. This does not affect default usage of Requests, only
    applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause
    malformed authentication to be applied to Requests on
    Python 3.11+. (#​7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

  • Various typo fixes and doc improvements.

Configuration

📅 Schedule: Branch creation - "" in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@craigzour craigzour merged commit eb2f952 into main Mar 26, 2026
6 checks passed
@craigzour craigzour deleted the renovate/pypi-requests-vulnerability branch March 26, 2026 12:35
@cds-snc-release-bot cds-snc-release-bot bot mentioned this pull request Mar 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@craigzour craigzour craigzour approved these changes

Assignees

No one assigned

Labels

Dependencies Renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@craigzour