CVE-2026-23949
Unknown Unknown - Not Provided
Zip Slip Path Traversal in jaraco.context.tarball() Allows Arbitrary Extraction

Publication date: 2026-01-20

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23949
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jaraco jaraco.context From 5.2.0 (inc) to 6.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23949 is a Zip Slip path traversal vulnerability in the jaraco.context Python package, specifically in the tarball() function. The vulnerability occurs because the path filtering function (strip_first_component) improperly handles paths containing '../' sequences, allowing malicious tar archives to extract files outside the intended extraction directory. This means an attacker can craft tar files that, when extracted, place files anywhere on the filesystem, potentially overwriting critical files. The issue also affects nested tarballs, where inner archives can similarly escape the extraction directory. This vulnerability was present in versions 5.2.0 up to but not including 6.1.0, where a patch was introduced to fix the filtering logic and prevent path traversal. [3]

Impact Analysis

This vulnerability can allow attackers to write arbitrary files anywhere on the filesystem when a vulnerable version of jaraco.context extracts a malicious tar archive. This can lead to unauthorized file creation or overwriting, potentially enabling privilege escalation, supply-chain attacks, or other malicious activities. For example, attackers could overwrite configuration files, place malicious scripts, or modify sensitive data outside the intended extraction directory. The exploitability is considered high for confidentiality impact, though privilege escalation is rated as low exploitability. Overall, it poses a significant security risk when processing untrusted tar files. [3]

Detection Guidance

To detect this vulnerability, you can check if your system uses a vulnerable version of the jaraco.context package (>=5.2.0 and <6.1.0). Additionally, you can look for suspicious tar extraction activities that attempt to write files outside the intended extraction directory, especially tarballs containing paths with '../' sequences or absolute paths. Since the vulnerability involves path traversal during tar extraction, monitoring file extraction logs or scanning for unexpected file creations outside extraction directories can help. Specific commands are not provided in the resources, but you might use commands like 'tar -tf <archive>' to list tar contents and manually inspect for traversal paths, or write scripts to parse tarball contents for '../' sequences. Also, checking installed package versions can be done with 'pip show jaraco.context' or equivalent. [3]

Mitigation Strategies

Immediate mitigation steps include upgrading the jaraco.context package to version 6.1.0 or later, where the vulnerability is patched. The patch replaces the unsafe 'strip_first_component' filter with a composed filter that enforces path traversal safety, preventing extraction of files outside the target directory. If upgrading is not immediately possible, avoid processing untrusted tar archives with vulnerable versions of jaraco.context. Additionally, consider applying or backporting the patch that rejects tar members with absolute paths or '../' sequences in their names to prevent path traversal during extraction. [2, 3]

Compliance Impact

The vulnerability allows attackers to extract files outside the intended directory, potentially leading to unauthorized file creation or modification on the filesystem. This could result in exposure or tampering of sensitive data, which may impact compliance with data protection regulations such as GDPR or HIPAA by violating requirements for data integrity and confidentiality. However, specific compliance impacts are not detailed in the provided resources. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23949. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart