Summary
cloud-sdk-python currently pins requests~=2.31.0, which is incompatible with
requests>=2.33.0 required to remediate CVE-2026-25645.
Vulnerability
| Field |
Detail |
| CVE |
CVE-2026-25645 |
| Severity |
Medium (CVSS 5.5) |
| Affected |
requests < 2.33.0 |
| Fixed in |
requests >= 2.33.0 |
| CWE |
CWE-377 — Insecure Temporary File |
The vulnerability is in requests.utils.extract_zipped_paths(), which uses a predictable
filename when extracting files into the system temp directory. An attacker with local access
could pre-create a malicious file in place of the expected one.
Impact on downstream projects
The requests~=2.31.0 pin creates a hard dependency conflict for any project that also depends on a package requiring requests>=2.33.0. Such packages cannot coexist with cloud-sdk-python in the same virtual environment, forcing users to either drop one of the dependencies or remain on a version of requests with a known CVE.
Requested change
Relax the pin in pyproject.toml from:
to:
This resolves the CVE and unblocks downstream projects that depend on both packages.
Summary
cloud-sdk-pythoncurrently pinsrequests~=2.31.0, which is incompatible withrequests>=2.33.0required to remediate CVE-2026-25645.Vulnerability
requests < 2.33.0requests >= 2.33.0The vulnerability is in
requests.utils.extract_zipped_paths(), which uses a predictablefilename when extracting files into the system temp directory. An attacker with local access
could pre-create a malicious file in place of the expected one.
Impact on downstream projects
The
requests~=2.31.0pin creates a hard dependency conflict for any project that also depends on a package requiringrequests>=2.33.0. Such packages cannot coexist withcloud-sdk-pythonin the same virtual environment, forcing users to either drop one of the dependencies or remain on a version ofrequestswith a known CVE.Requested change
Relax the pin in
pyproject.tomlfrom:to:
This resolves the CVE and unblocks downstream projects that depend on both packages.