Scanner gratuitement
CRITICALCVE-2025-14009CVSS 10

CVE-2025-14009

traduction en cours…

Plateforme

python

Composant

nltk

Corrigé dans

3.9.3

AI Confidence: highNVDEPSS 0.6%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

A critical remote code execution (RCE) vulnerability has been identified in the NLTK (Natural Language Toolkit) downloader component, specifically affecting versions up to 3.9b1. The vulnerability stems from insufficient path validation during the extraction of downloaded zip packages, allowing attackers to inject malicious code. Successful exploitation could lead to complete system compromise. The vulnerability was published on 2026-02-18 and a fix is available in version 3.9.3.

Python

Détecte cette CVE dans ton projet

Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.

Téléverser requirements.txtFormats supportés: requirements.txt · Pipfile.lock

Impact et Scénarios d'Attaquetraduction en cours…

The core issue lies within the unzipiter function in nltk/downloader.py, which utilizes zipfile.extractall() without proper security checks. An attacker can craft a specially designed zip archive containing malicious Python files, such as init.py. When a user downloads and extracts this archive using NLTK, these malicious files will be automatically executed upon import, granting the attacker arbitrary code execution privileges. This effectively bypasses standard security measures, as NLTK inherently trusts downloaded packages. The blast radius is significant, potentially impacting any system running vulnerable versions of NLTK and processing downloaded data.

Contexte d'Exploitationtraduction en cours…

This vulnerability is considered high probability due to the ease of crafting malicious zip files and the widespread use of NLTK in various NLP applications. No public proof-of-concept (PoC) has been released as of the publication date, but the simplicity of the exploit makes it likely that one will emerge. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern. Active exploitation campaigns are not currently confirmed, but the criticality of the vulnerability warrants proactive monitoring and mitigation.

Qui Est à Risquetraduction en cours…

Researchers and developers utilizing NLTK for natural language processing tasks are at significant risk. Specifically, those using older versions of NLTK (≤3.9b1) or those who automatically process downloaded data without proper validation are particularly vulnerable. Shared hosting environments where multiple users may be utilizing NLTK are also at increased risk.

Étapes de Détectiontraduction en cours…

• python / supply-chain:

import os
import zipfile

def check_nltk_download_path(download_dir):
    for filename in os.listdir(download_dir):
        if filename.endswith('.zip'):
            try:
                with zipfile.ZipFile(os.path.join(download_dir, filename), 'r') as zip_ref:
                    for member in zip_ref.infolist():
                        if not member.filename.startswith('nltk/'):
                            print(f"Suspicious file found in zip: {member.filename}")
            except Exception as e:
                print(f"Error processing zip file: {e}")

# Example usage (replace with actual download directory)
nltk_download_dir = '/path/to/nltk/downloads'
check_nltk_download_path(nltk_download_dir)

• generic web: Check NLTK download directories for unexpected files or scripts. • generic web: Monitor system logs for unusual Python process execution after NLTK downloads.

Chronologie de l'Attaque

  1. Disclosure

    disclosure

  2. Patch

    patch

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée

EPSS

0.62% (percentile 70%)

CISA SSVC

Exploitationpoc
Automatisableyes
Impact Techniquetotal

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H10.0CRITICALAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredNoneNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeChangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityHighRisque de modification non autorisée de donnéesAvailabilityHighRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Aucun — sans authentification. Aucune identifiant requis pour exploiter.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
Availability
Élevé — panne complète ou épuisement des ressources. Déni de service total.

Logiciel Affecté

Composantnltk
Fournisseurosv
Plage affectéeCorrigé dans
unspecified – latest
3.9.3

Classification de Faiblesse (CWE)

CWE-94

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour
Corrigé 7 jours après la divulgation

Mitigation et Contournementstraduction en cours…

The primary mitigation is to immediately upgrade to NLTK version 3.9.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the NLTK downloader and manually verifying the integrity of any downloaded data. Implement strict file integrity checks on all downloaded packages before processing them. While a WAF or proxy cannot directly address this vulnerability, they can be configured to block downloads from untrusted sources. There are no specific Sigma or YARA rules readily available for this vulnerability, but monitoring for unusual Python process execution after NLTK downloads is recommended.

Comment corrigertraduction en cours…

Actualice la biblioteca NLTK a la última versión disponible. Esto solucionará la vulnerabilidad Zip Slip. Asegúrese de validar y desinfectar las entradas antes de procesarlas con NLTK.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2025-14009 — RCE in nltk/nltk?

CVE-2025-14009 is a critical remote code execution vulnerability in the NLTK downloader component, allowing attackers to execute arbitrary code through malicious zip packages.

Am I affected by CVE-2025-14009 in nltk/nltk?

You are affected if you are using NLTK versions 3.9b1 or earlier. Upgrade to 3.9.3 or later to mitigate the risk.

How do I fix CVE-2025-14009 in nltk/nltk?

Upgrade to NLTK version 3.9.3 or later. If immediate upgrade is not possible, disable the downloader and manually verify downloaded data.

Is CVE-2025-14009 being actively exploited?

Active exploitation is not currently confirmed, but the vulnerability's criticality warrants proactive monitoring and mitigation.

Where can I find the official nltk advisory for CVE-2025-14009?

Refer to the official NLTK security advisory and release notes for detailed information and updates: [https://www.nltk.org/]

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE