CVE-2026-23949 Exposes jaraco-context to Critical Zip Slip Path Traversal — Version 6.0.1 at Risk

A high-severity Zip Slip path traversal vulnerability has been identified in jaraco-context 6.0.1, raising urgent concerns for developers and organizations that rely on the widely-used Python package. The flaw, tracked as CVE-2026-23949, resides in the `jaraco.context.tarball()` function and may allow attackers to extract files well beyond the intended directory when processing maliciously crafted tar archives.

The root cause lies in the `strip_first_component` filter, which splits the archive path on the first `/` and extracts the second component. This mechanism fails to properly sanitize `../` traversal sequences. Attackers can exploit this by embedding paths such as `dummy_dir/../../etc/passwd`, which the filter transforms into `../../etc/passwd`, enabling arbitrary file extraction across the filesystem. The vulnerability also extends to nested tarball attacks: when an inner archive like `dummy_dir/inner.tar.gz` contains its own traversal payload — such as `dummy_dir/../../config/.env` — the chained extraction can reach sensitive configuration files or credentials.

The affected version, 6.0.1, is listed in `requirements/development.txt`, indicating the package sees significant use in Python development environments, build pipelines, and CI/CD workflows. Organizations should audit their dependency trees for jaraco-context and confirm whether `tarball()` is invoked with untrusted or externally sourced archives. A fix is available in version 6.1.0. Until patches are applied, any system processing tar archives through jaraco-context should treat inputs as potentially hostile. The vulnerability carries a high severity rating, and the presence of nested tarball attack vectors compounds the risk for projects with complex packaging workflows.