Stripped Vulnerable: The jaraco.context Zip Slip
Jan 14, 2026·5 min read·35 visits
Executive Summary (TL;DR)
The `tarball()` function in `jaraco.context` attempts to be helpful by stripping the top-level directory from archives during extraction. However, it does this via naive string manipulation (`split` and `join`) before any security validation occurs. This allows an attacker to craft a tarball that, once 'stripped', resolves to a traversal path like `../../etc/passwd`, enabling arbitrary file overwrite and RCE. Since this package is vendored by `setuptools`, the blast radius is massive.
A critical path traversal vulnerability in jaraco.context, a package vendored by the ubiquitous setuptools, allows attackers to escape extraction directories via malicious tar archives.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
jaraco.context jaraco | < 2026-01-13 patch | commit 7b26a42 |
setuptools PyPA | Affected versions vendoring jaraco.context | Unknown (Vendor Update Required) |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (Malicious Tarball) |
| CVSS Base Score | 8.8 (High) |
| Impact | Arbitrary File Write / RCE |
| Exploit Status | PoC Available |
| Vulnerability Type | Path Traversal (Zip Slip) |
| Key Component | strip_first_component filter |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as '..' that can resolve to a location that is outside of that directory.