Description
jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue.
Published: 2026-01-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Extraction via Path Traversal
Action: Patch
AI Analysis

Impact

jaraco.context, a Python package providing decorators and context managers, contains a Zip Slip path traversal flaw in its tarball() function from version 5.2.0 up to, but not including, 6.1.0. The flaw allows the strip_first_component filter to resolve paths containing ../ sequences incorrectly, so files can be extracted outside the intended extraction directory. When a malicious tar archive or nested tarball is processed, paths such as dummy_dir/../../etc/passwd become ../../etc/passwd, exposing files such as /etc/passwd or configuration files that the application should not access.

Affected Systems

The vulnerability affects all releases of the jaraco.context package from 5.2.0 through 6.0.x. The package is available on PyPI and is used in a range of Python projects. Version 6.1.0 and later include the patch that guards against the traversal issue. Users who depend on jaraco.context in their application logic or build scripts are at risk when they process untrusted tar archives with the bundled tarball() helper.

Risk and Exploitability

The CVSS score of 8.6 classifies this flaw as High severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers could supply a crafted archive to a service or run a local script that calls tarball() to extract arbitrary files from the host file system, thereby compromising confidentiality, integrity, or availability of the filesystem structure.

Generated by OpenCVE AI on April 18, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jaraco.context to version 6.1.0 or newer to obtain the path–sanitization patch.
  • If an immediate upgrade is not feasible, refrain from extracting nested tarballs or modify the library to eliminate the strip_first_component logic that permits path traversal.
  • Limit the use of tarball() to trusted archives only and avoid processing untrusted archive content in production environments.

Generated by OpenCVE AI on April 18, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-58pv-8j8x-9vj2 jaraco.context Has a Path Traversal Vulnerability
Ubuntu USN Ubuntu USN USN-7979-1 jaraco.context vulnerability
History

Wed, 11 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jaraco:jaraco.context:*:*:*:*:*:python:*:*

Tue, 20 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Jaraco
Jaraco jaraco.context
Vendors & Products Jaraco
Jaraco jaraco.context

Tue, 20 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue.
Title jaraco.context Has a Path Traversal Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Jaraco Jaraco.context
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T17:02:50.613Z

Reserved: 2026-01-19T14:49:06.312Z

Link: CVE-2026-23949

cve-icon Vulnrichment

Updated: 2026-01-20T17:02:47.507Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T01:15:57.723

Modified: 2026-03-11T23:12:19.323

Link: CVE-2026-23949

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-20T00:36:23Z

Links: CVE-2026-23949 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses