The vulnerability CVE-2026-25645 affects the Python Requests library versions prior to 2.33.0. The issue lies in the function requests.utils.extract_zipped_paths(), which is used internally by HTTPAdapter.cert_verify() to load the CA bundle, often sourced from the certifi package's zipapp structure. This function extracts certificate files into the system's temporary directory (/tmp) using a predictable filename, such as cacert.pem. Before extraction, it checks if the file already exists and reuses it without verifying its contents or ensuring atomic, unique extraction. This insecure temporary file handling (CWE-377) allows a local attacker to pre-create a malicious CA bundle file in /tmp with the same name. When a vulnerable application running with higher privileges initializes the Requests library, it trusts the attacker-controlled CA bundle, potentially allowing the attacker to manipulate certificate validation processes. This can lead to integrity violations, such as accepting forged certificates, enabling man-in-the-middle attacks or code injection in TLS-secured communications. The vulnerability requires local access with low privileges and user interaction, as the attacker must place the malicious file before the vulnerable process runs. The patch in Requests 2.33.0 addresses this by implementing secure extraction methods that use unique, non-predictable temporary filenames and verify file integrity, preventing reuse of attacker-controlled files.

The primary impact of this vulnerability is the compromise of integrity in TLS certificate validation within applications using the vulnerable Requests library. By tricking the application into trusting a malicious CA bundle, an attacker can perform man-in-the-middle attacks, intercept or alter supposedly secure communications, or inject malicious content. This undermines the trust model of TLS and can lead to further exploitation such as credential theft, data manipulation, or unauthorized access. Since exploitation requires local access, the threat is significant in multi-user systems, shared hosting environments, or containerized platforms where untrusted users have some level of access. The vulnerability does not directly affect confidentiality or availability but can indirectly lead to data breaches or system compromise through trust violations. Organizations relying on Requests for secure HTTP communications, especially in environments where local users exist, face increased risk until patched. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat due to the ease of local file manipulation.

To mitigate this vulnerability, organizations should upgrade the Requests library to version 2.33.0 or later, where the issue is patched. For environments where immediate upgrade is not feasible, implement strict access controls on the system's temporary directories to prevent untrusted users from creating or modifying files such as /tmp/cacert.pem. Use filesystem permissions and mount options like noexec and nodev on /tmp to reduce risk. Employ containerization or sandboxing to isolate processes using Requests from untrusted local users. Additionally, monitor and audit /tmp for unexpected files or changes to certificate bundles. Developers should avoid running Requests-based applications with elevated privileges unnecessarily and consider using alternative certificate loading mechanisms that do not rely on temporary file extraction. Finally, educate local users about the risks of placing files in shared temporary directories and enforce policies to restrict such behavior.