CVE-2021-43854Uncontrolled Resource Consumption in Nltk

CWE-400Uncontrolled Resource Consumption9 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.8%
top 25.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
NltkDebian Nltk
Timeline
PublishedDec 23
Latest updateMar 12

Description

NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vul

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

NVDnltk/nltk< 3.6.5
PyPInltk/nltk< 3.6.6
debiandebian/nltk< nltk 3.6.7-1 (bookworm)
Debiannltk/nltk< 3.6.7-1+2
Ubuntunltk/nltk< 2.0~b9-0ubuntu4.1~esm4+3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
nltk vulnerabilities2025-03-24
GHSA
Inefficient Regular Expression Complexity in nltk (word_tokenize, sent_tokenize)2022-01-06
OSV
Inefficient Regular Expression Complexity in nltk (word_tokenize, sent_tokenize)2022-01-06
OSV
CVE-2021-43854: NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Lang2021-12-23

📋Vendor Advisories

2
Ubuntu
NLTK vulnerabilities2025-03-24
Debian
CVE-2021-43854: nltk - NLTK (Natural Language Toolkit) is a suite of open source Python modules, data s...2021

📄Research Papers

2
arXiv
Cascade: Composing Software-Hardware Attack Gadgets for Adversarial Threat Amplification in Compound AI Systems2026-03-12
arXiv
Threat Assessment in Machine Learning based Systems2022-06-30