Source: nltk
Version: 3.9.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/nltk/nltk/pull/3575
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for nltk.

CVE-2026-54293[0]:
| NLTK (Natural Language Toolkit) is a suite of open source Python
| modules, data sets, and tutorials supporting research and
| development in Natural Language Processing. Prior to 3.10.0-rc1,
| nltk.data.load() in NLTK is vulnerable to path traversal via URL-
| encoded path separators and traversal segments when using the nltk:
| URL scheme. The unsafe-path regex check is performed before
| url2pathname() decodes the %xx sequences (a classic decode-after-
| check / TOCTOU-style flaw), allowing an attacker to bypass the
| protection documented in NLTK's SECURITY.md and read arbitrary files
| from the filesystem. While literal traversal strings such as
| ../../../etc/passwd are correctly blocked, encoded variants such as
| %2fetc%2fpasswd, %2e%2e%2f..., and ..%2f..%2f slip past the regex
| and are subsequently decoded into a real filesystem path. This
| vulnerability is fixed in 3.10.0-rc1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-54293
    https://www.cve.org/CVERecord?id=CVE-2026-54293
[1] https://github.com/nltk/nltk/pull/3575
[2] https://github.com/nltk/nltk/security/advisories/GHSA-p4gq-832x-fm9v

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- 
debian-science-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers

Reply via email to