Intel

AIKIDO-2026-920436

instagrapi is vulnerable to Insecure Temporary File

Insecure Temporary File Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

25

Low Risk

This Affects:

PYTHONinstagrapi
1.0.0 - 2.5.9
Fixed in 2.5.10
Are you affected? Scan for Free

TL;DR

The reel and story building helpers in clip.py and story.py create temporary media files with tempfile.mktemp, which only returns a predictable path and does not atomically create the file. On a shared host a local attacker can pre-create a symlink at that predictable path during the window before the library opens it, redirecting the written audio or video content to an attacker-chosen file or exposing the media being processed. This time-of-check to time-of-use race can lead to local file overwrite or disclosure. The fix introduces a _make_tmp_path helper built on tempfile.mkstemp that atomically creates a uniquely named file and closes the race window.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you use the reel or story building and upload helpers on a shared or multi-user system.

Background info

instagrapi is vulnerable to Insecure Temporary File in versions 1.0.0 - 2.5.9.

How to fix this

Upgrade the instagrapi library to the patch version.