Source: nltk Version: 3.9.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/nltk/nltk/issues/3489 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for nltk. CVE-2025-14009[0]: | A critical vulnerability exists in the NLTK downloader component of | nltk/nltk, affecting all versions. The _unzip_iter function in | nltk/downloader.py uses zipfile.extractall() without performing path | validation or security checks. This allows attackers to craft | malicious zip packages that, when downloaded and extracted by NLTK, | can execute arbitrary code. The vulnerability arises because NLTK | assumes all downloaded packages are trusted and extracts them | without validation. If a malicious package contains Python files, | such as __init__.py, these files are executed automatically upon | import, leading to remote code execution. This issue can result in | full system compromise, including file system access, network | access, and potential persistence mechanisms. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-14009 https://www.cve.org/CVERecord?id=CVE-2025-14009 [1] https://github.com/nltk/nltk/issues/3489 [2] https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4 [3] https://github.com/nltk/nltk/pull/3468 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
