Source: nltk Version: 3.9.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/nltk/nltk/pull/3575 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for nltk. CVE-2026-54293[0]: | NLTK (Natural Language Toolkit) is a suite of open source Python | modules, data sets, and tutorials supporting research and | development in Natural Language Processing. Prior to 3.10.0-rc1, | nltk.data.load() in NLTK is vulnerable to path traversal via URL- | encoded path separators and traversal segments when using the nltk: | URL scheme. The unsafe-path regex check is performed before | url2pathname() decodes the %xx sequences (a classic decode-after- | check / TOCTOU-style flaw), allowing an attacker to bypass the | protection documented in NLTK's SECURITY.md and read arbitrary files | from the filesystem. While literal traversal strings such as | ../../../etc/passwd are correctly blocked, encoded variants such as | %2fetc%2fpasswd, %2e%2e%2f..., and ..%2f..%2f slip past the regex | and are subsequently decoded into a real filesystem path. This | vulnerability is fixed in 3.10.0-rc1. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-54293 https://www.cve.org/CVERecord?id=CVE-2026-54293 [1] https://github.com/nltk/nltk/pull/3575 [2] https://github.com/nltk/nltk/security/advisories/GHSA-p4gq-832x-fm9v Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- debian-science-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-science-maintainers
