📂 Vulnerable Library - requests-2.32.5-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl
Path to dependency file: /src/Core/DevOps/Locust/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260411072222_HCTYLP/python_OGJROI/202604110722231/env/lib/python3.9/site-packages/requests-2.32.5.dist-info
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2026-25645 |
🟠 Medium |
4.4 |
Not Defined |
< 1% |
requests-2.32.5-py3-none-any.whl |
Direct |
https://github.com/psf/requests.git - v2.33.0 |
✅ |
 Reachable |
Details
🟠CVE-2026-25645
Vulnerable Library - requests-2.32.5-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl
Path to dependency file: /src/Core/DevOps/Locust/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260411072222_HCTYLP/python_OGJROI/202604110722231/env/lib/python3.9/site-packages/requests-2.32.5.dist-info
Dependency Hierarchy:
- ❌ requests-2.32.5-py3-none-any.whl (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- shopware/src/Core/DevOps/Locust/common/context.py (Application)
- requests-2.32.5/requests/__init__.py (Extension)
- requests-2.32.5/requests/models.py (Extension)
-> ❌ requests-2.32.5/requests/hooks.py (Vulnerable Component)
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.
Publish Date: Mar 25, 2026 05:02 PM
URL: CVE-2026-25645
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.4
Suggested Fix
Type: Upgrade version
Origin: psf/requests@66d21cb
Release Date: Mar 25, 2026 05:02 PM
Fix Resolution : https://github.com/psf/requests.git - v2.33.0
📂 Vulnerable Library - requests-2.32.5-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl
Path to dependency file: /src/Core/DevOps/Locust/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260411072222_HCTYLP/python_OGJROI/202604110722231/env/lib/python3.9/site-packages/requests-2.32.5.dist-info
Findings
Details
🟠CVE-2026-25645
Vulnerable Library - requests-2.32.5-py3-none-any.whl
Python HTTP for Humans.
Library home page: https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl
Path to dependency file: /src/Core/DevOps/Locust/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260411072222_HCTYLP/python_OGJROI/202604110722231/env/lib/python3.9/site-packages/requests-2.32.5.dist-info
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Requests is a HTTP library. Prior to version 2.33.0, the "requests.utils.extract_zipped_paths()" utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call "extract_zipped_paths()" directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set "TMPDIR" in their environment to a directory with restricted write access.
Publish Date: Mar 25, 2026 05:02 PM
URL: CVE-2026-25645
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.4
Suggested Fix
Type: Upgrade version
Origin: psf/requests@66d21cb
Release Date: Mar 25, 2026 05:02 PM
Fix Resolution : https://github.com/psf/requests.git - v2.33.0