Jump to solution
Verify

Requests Running requests in parallel from a zip archive can create race condition when unpacking (Fix)

Fixed
Spec
Package
Requests
Fixed In
2.27.0
Python
3.6
Verdict
Status
Fixed
Safe for prod
No
Risk
Medium
Last verified
2026-02-07
Own content ratio
0.56
#5223 ai concurrency corruption security tls Race Condition Updated: 2026-02-13
Issue #5223

The Fix

pip install requests==2.27.0

Based on closed psf/requests issue #5223 · PR/commit linked

Production note: This tends to surface only under concurrency. Reproduce with load tests and watch for lock contention/cancellation paths.

Jump to Verify Open PR/Commit
@@ -256,13 +256,28 @@ def extract_zipped_paths(path): # we have a valid zip archive and a valid member of that archive tmp = tempfile.gettempdir() - extracted_path = os.path.join(tmp, *member.split('/')) + extracted_path = os.path.join(tmp, member.split('/')[-1]) if not os.path.exists(extracted_path):
repro.py
import requests from concurrent.futures import ThreadPoolExecutor urls = ("https://github.com", "https://github.com", "https://github.com", "https://github.com") def get(url): print(f"Getting {url}") requests.get(url) with ThreadPoolExecutor(5) as pool: pool.map(get, urls)
verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.
fix.md
Option A — Upgrade to fixed release\npip install requests==2.27.0\nWhen NOT to use: This fix is not suitable if the application requires distinct certificate files for each thread.\n\n

Why This Fix Works in Production

  • Trigger: FileExistsError: [Errno 17] File exists: '/data/jenkins/postproc-asustor/204934530/_temp/certifi'
  • Mechanism: Resolves a race condition when extracting the cacerts.pem file by avoiding the creation of nested folders during extraction.
  • Why the fix works: Resolves a race condition when extracting the cacerts.pem file by avoiding the creation of nested folders during extraction. (first fixed release: 2.27.0).
Production impact:
  • If left unfixed, failures can be intermittent under concurrency (hard to reproduce; shows up as sporadic 5xx/timeouts).

Why This Breaks in Prod

  • Shows up under Python 3.6 in real deployments (not just unit tests).
  • Surfaces as: FileExistsError: [Errno 17] File exists: '/data/jenkins/postproc-asustor/204934530/_temp/certifi'

Proof / Evidence

  • GitHub issue: #5223
  • Fix PR: https://github.com/psf/requests/pull/5707
  • First fixed release: 2.27.0
  • Reproduced locally: No (not executed)
  • Last verified: 2026-02-07
  • Confidence: 0.85
  • Did this fix it?: Yes (upstream fix exists)
  • Own content ratio: 0.56

Discussion

High-signal excerpts from the issue thread (symptoms, repros, edge-cases).

Jump to Sources Open on GitHub
“This can be reproduced with running pip in parallel too.”
@gaborbernat · 2020-12-21 · source
“Genuinely, it'd be best if there was a way not have to extract cacerts.pem from the zip file at all and be able to clean…”
@sigmavirus24 · 2020-12-22 · source
“What about using an application data folder to extract this (no cleanup), and do the writing in parallel safe manner (mkdir with exist ok)? This…”
@gaborbernat · 2020-12-22 · source
“A user write able temp folder is almost as easy to exploit as a user write able temp folder we have now”
@gaborbernat · 2020-12-22 · source

Failure Signature (Search String)

  • FileExistsError: [Errno 17] File exists: '/data/jenkins/postproc-asustor/204934530/_temp/certifi'

Error Message

Stack trace
error.txt
Error Message ------------- FileExistsError: [Errno 17] File exists: '/data/jenkins/postproc-asustor/204934530/_temp/certifi'

Minimal Reproduction

repro.py
import requests from concurrent.futures import ThreadPoolExecutor urls = ("https://github.com", "https://github.com", "https://github.com", "https://github.com") def get(url): print(f"Getting {url}") requests.get(url) with ThreadPoolExecutor(5) as pool: pool.map(get, urls)

Environment

  • Python: 3.6

Fix Options (Details)

Option A — Upgrade to fixed release Safe default (recommended)

pip install requests==2.27.0

When NOT to use: This fix is not suitable if the application requires distinct certificate files for each thread.

Use when you can deploy the upstream fix. It is usually lower-risk than long-lived workarounds.

Fix reference: https://github.com/psf/requests/pull/5707

First fixed release: 2.27.0

Last verified: 2026-02-07. Validate in your environment.

Get updates

We publish verified fixes weekly. No spam.

Subscribe

When NOT to Use This Fix

  • This fix is not suitable if the application requires distinct certificate files for each thread.

Verify Fix

verify
Re-run the minimal reproduction on your broken version, then apply the fix and re-run.

Did This Fix Work in Your Case?

Quick signal helps us prioritize which fixes to verify and improve.

Prevention

  • Add a TLS smoke test that performs a real handshake in CI (include CA bundle validation and hostname checks).
  • Alert on handshake failures by error string and endpoint to catch cert/CA changes quickly.
  • Add a stress test that runs high-concurrency workloads and fails on thread dumps / blocked locks.
  • Enable watchdog dumps in prod (faulthandler, thread dump endpoint) to capture deadlocks quickly.

Version Compatibility Table

VersionStatus
2.27.0 Fixed

Related Issues

No related fixes found.

Cluster: requests:race-condition Requests hub Requests best practices All hubs All clusters
Related clusters: Configuration error Data consistency SSL handshake

Sources

We don’t republish the full GitHub discussion text. Use the links above for context.

Source & Disclaimer: Analysis derived from GitHub Issue #5223. Not affiliated with the library maintainers. Verify before production use.