CVE-2026-23949
📋 TL;DR
CVE-2026-23949 is a Zip Slip path traversal vulnerability in jaraco.context's tarball() function that allows attackers to extract files outside the intended directory when processing malicious tar archives. This affects systems using jaraco.context versions 5.2.0 through 6.0.x for Python applications that process tar files from untrusted sources.
💻 Affected Systems
- jaraco.context
- setuptools (vendored version)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary file overwrite leading to remote code execution, configuration file manipulation, or sensitive data exposure by writing to critical system locations.
Likely Case
Local file overwrite in application directories leading to privilege escalation, data corruption, or denial of service.
If Mitigated
Limited impact if proper file permissions restrict write access to sensitive directories and input validation is implemented.
🎯 Exploit Status
Proof of concept available in advisory. Exploitation requires application to process tar files from untrusted sources.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.0
Vendor Advisory: https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2
Restart Required: No
Instructions:
1. Update jaraco.context: pip install --upgrade jaraco.context==6.1.0
2. If using vendored version in setuptools, update setuptools
3. Verify no applications are pinned to vulnerable versions
🔧 Temporary Workarounds
Input validation wrapper
allImplement custom validation to sanitize tar file paths before processing
# Python code to validate paths
import os
from pathlib import Path
def safe_extract(tar_path, extract_dir):
extract_path = Path(extract_dir).resolve()
for member in tar_path.getmembers():
member_path = Path(member.name).resolve()
if not str(member_path).startswith(str(extract_path)):
raise ValueError('Path traversal attempt detected')
🧯 If You Can't Patch
- Disable tar file processing from untrusted sources in applications
- Implement strict file permission controls to limit write access to sensitive directories
🔍 How to Verify
Check if Vulnerable:
Check installed version: pip show jaraco.context | grep VersionCheck Version:
python -c "import jaraco.context; print(jaraco.context.__version__)"Verify Fix Applied:
Confirm version is 6.1.0 or higher: pip list | grep jaraco.context📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations outside expected directories
- Failed path validation attempts in application logs
Network Indicators:
- Large tar file uploads followed by file system activity
SIEM Query:
source=application_logs AND ("tarball" OR "extract") AND ("..\/" OR "path traversal")🔗 References
- https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91
- https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9
- https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2
- https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76
