Requests Library Insecure Temporary File Handling Vulnerability in CA Bundle Extraction
Vulnerability
A vulnerability exists in the Requests library prior to version 2.33.0, specifically in the `requests.utils.extract_zipped_paths()` function. This function, used by `HTTPAdapter.cert_verify()` to load the CA bundle, often from the `certifi` package's zipapp structure, extracts files from zip archives to the system's temporary directory using a predictable filename. If the file already exists, it is reused without proper validation, creating an opportunity for local attackers to pre-insert a malicious CA bundle file that could be loaded by an application with potentially higher privileges.
Impact
Exploitation allows for the replacement of a legitimate CA bundle file with a malicious one, which could be used to undermine certificate verification processes in applications that rely on the Requests library.
Remediation
Users are advised to upgrade to Requests version 2.33.0 or later, where this vulnerability has been addressed. If an upgrade is not possible, set the `TMPDIR` environment variable to a directory with restricted write access.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.