repos/roboluke
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions 1 Packages Releases 77 Activity

feat(deps): Update dependency requests to v2.33.0 [SECURITY] #436

Merged
luke merged 1 commits from renovate/pypi-requests-vulnerability into main 2026-03-27 18:06:12 +00:00
Conversation 2 Commits 1 Files Changed 1 +3 -3
renovate-bot commented 2026-03-25 21:02:51 +00:00
Member
Copy Link

This PR contains the following updates:

Package Change Age Confidence
requests (changelog) 2.32.52.33.0 age confidence

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

CVE-2026-25645 / GHSA-gc5v-m9x4-r6x2

More information

Details

Impact

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Affected usages

Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted.

Remediation

Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location.

If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Severity

  • CVSS Score: 4.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

psf/requests (requests)

v2.33.0

Compare Source

Announcements

  • 📣 Requests is adding inline types. If you have a typed code base that
    uses Requests, please take a look at #​7271. Give it a try, and report
    any gaps or feedback you may have in the issue. 📣

Security

  • CVE-2026-25645 requests.utils.extract_zipped_paths now extracts
    contents to a non-deterministic location to prevent malicious file
    replacement. This does not affect default usage of Requests, only
    applications calling the utility function directly.

Improvements

  • Migrated to a PEP 517 build system using setuptools. (#​7012)

Bugfixes

  • Fixed an issue where an empty netrc entry could cause
    malformed authentication to be applied to Requests on
    Python 3.11+. (#​7205)

Deprecations

  • Dropped support for Python 3.9 following its end of support. (#​7196)

Documentation

  • Various typo fixes and doc improvements.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [requests](https://github.com/psf/requests) ([changelog](https://github.com/psf/requests/blob/master/HISTORY.md)) | `2.32.5` → `2.33.0` | ![age](https://developer.mend.io/api/mc/badges/age/pypi/requests/2.33.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/requests/2.32.5/2.33.0?slim=true) | --- ### Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function [CVE-2026-25645](https://nvd.nist.gov/vuln/detail/CVE-2026-25645) / [GHSA-gc5v-m9x4-r6x2](https://github.com/advisories/GHSA-gc5v-m9x4-r6x2) <details> <summary>More information</summary> #### Details ##### Impact The `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. ##### Affected usages **Standard usage of the Requests library is not affected by this vulnerability.** Only applications that call `extract_zipped_paths()` directly are impacted. ##### Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access. #### Severity - CVSS Score: 4.4 / 10 (Medium) - Vector String: `CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N` #### References - [https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2](https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2) - [https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7](https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7) - [https://github.com/psf/requests](https://github.com/psf/requests) - [https://github.com/psf/requests/releases/tag/v2.33.0](https://github.com/psf/requests/releases/tag/v2.33.0) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-gc5v-m9x4-r6x2) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>psf/requests (requests)</summary> ### [`v2.33.0`](https://github.com/psf/requests/blob/HEAD/HISTORY.md#2330-2026-03-25) [Compare Source](https://github.com/psf/requests/compare/v2.32.5...v2.33.0) **Announcements** - 📣 Requests is adding inline types. If you have a typed code base that uses Requests, please take a look at [#&#8203;7271](https://github.com/psf/requests/issues/7271). Give it a try, and report any gaps or feedback you may have in the issue. 📣 **Security** - CVE-2026-25645 `requests.utils.extract_zipped_paths` now extracts contents to a non-deterministic location to prevent malicious file replacement. This does not affect default usage of Requests, only applications calling the utility function directly. **Improvements** - Migrated to a PEP 517 build system using setuptools. ([#&#8203;7012](https://github.com/psf/requests/issues/7012)) **Bugfixes** - Fixed an issue where an empty netrc entry could cause malformed authentication to be applied to Requests on Python 3.11+. ([#&#8203;7205](https://github.com/psf/requests/issues/7205)) **Deprecations** - Dropped support for Python 3.9 following its end of support. ([#&#8203;7196](https://github.com/psf/requests/issues/7196)) **Documentation** - Various typo fixes and doc improvements. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45MS4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTEuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsic2VjdXJpdHkiXX0=-->
renovate-bot added the security label 2026-03-25 21:02:51 +00:00
renovate-bot requested review from luke 2026-03-25 21:02:51 +00:00
renovate-bot added 1 commit 2026-03-27 13:03:02 +00:00
[SECURITY] Update dependency requests to v2.33.0 [SECURITY]
All checks were successful
Validate PR Title / validate (pull_request) Successful in 2s
Details
CI / ci (pull_request) Successful in 18s
Details
c03056ebf6
renovate-bot force-pushed renovate/pypi-requests-vulnerability from 0b2cf11c6a to c03056ebf6 2026-03-27 13:03:02 +00:00 Compare
luke approved these changes 2026-03-27 18:05:27 +00:00
Dismissed
luke changed title from [SECURITY] Update dependency requests to v2.33.0 [SECURITY] to feat(deps): Update dependency requests to v2.33.0 [SECURITY] 2026-03-27 18:05:53 +00:00
luke approved these changes 2026-03-27 18:06:02 +00:00
luke scheduled this pull request to auto merge when all checks succeed 2026-03-27 18:06:07 +00:00
luke merged commit e4f753c9a1 into main 2026-03-27 18:06:12 +00:00
luke deleted branch renovate/pypi-requests-vulnerability 2026-03-27 18:06:13 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
luke
Labels
Clear labels
bug
Something isn't working
 dependencies
Pull requests that update a dependency file
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 security
wontfix
This will not be worked on
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
No Label security
Milestone
No items
No Milestone
Assignees
Clear assignees
ai-review-bot gitea-actions-bot luke renovate-bot
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: repos/roboluke#436
Delete Branch "renovate/pypi-requests-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?