CVE-2026-23949
HIGH
GHSA-58pv-8j8x-9vj2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4Description
jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue.
Analysis
Jaraco.context versions 5.2.0 through 6.0.x contain a path traversal vulnerability in the tarball() function that allows attackers to extract files outside the intended directory when processing malicious tar archives, with public exploit code available. The vulnerability exploits insufficient path validation that fails to properly filter directory traversal sequences like `../`, potentially enabling unauthorized file extraction and nested tarball attacks. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 7 days: Identify all affected systems running version 5.2.0 and and apply vendor patches promptly. Review file handling controls and restrict upload directories.
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today