CVE-2025-14009Code Injection in Nltk

CWE-94Code Injection7 documents6 sources
Severity
10.0CRITICALNVD
EPSS
0.9%
top 24.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
NltkDebian NltkNltk Nltk
Timeline
PublishedFeb 18

Description

A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages5 packages

NVDnltk/nltk< 3.9.3
PyPInltk/nltk< 3.9.3
debiandebian/nltk< nltk 3.9.3-1 (forky)
Debiannltk/nltk< 3.9.3-1
CVEListV5nltk/nltk_nltkunspecifiedlatest

🔴Vulnerability Details

3
GHSA
NLTK has a Zip Slip Vulnerability2026-02-18
OSV
CVE-2025-14009: A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions2026-02-18
OSV
NLTK has a Zip Slip Vulnerability2026-02-18

📋Vendor Advisories

2
Red Hat
nltk: Zip Slip Vulnerability in nltk Leading to Code Execution2026-02-18
Debian
CVE-2025-14009: nltk - A critical vulnerability exists in the NLTK downloader component of nltk/nltk, a...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-14009 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-14009 — Code Injection in Nltk | cvebase