PatchSiren cyber security CVE debrief
CVE-2025-14009 nltk CVE debrief
A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution.
- Vendor
- nltk
- Product
- nltk/nltk
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-18
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-18
- Advisory updated
- 2026-06-30
Who should care
This vulnerability should be of high concern to developers and users of the NLTK library, as it can lead to full system compromise, including file system access, network access, and potential persistence mechanisms. Organizations using NLTK in their applications or products should prioritize patching this vulnerability to prevent potential attacks.
Technical summary
The vulnerability is caused by the lack of path validation and security checks in the _unzip_iter function of nltk/downloader.py. This function uses zipfile.extractall() to extract downloaded packages without validation, allowing attackers to craft malicious zip packages that can execute arbitrary code when extracted. The vulnerability is particularly severe because NLTK assumes all downloaded packages are trusted, and malicious packages can contain Python files that are executed automatically upon import.
Defensive priority
High priority should be given to patching this vulnerability, as it can lead to remote code execution and full system compromise. Organizations should ensure that all instances of NLTK are updated to a patched version as soon as possible.
Recommended defensive actions
- Update NLTK to a patched version
- Implement additional security checks for downloaded packages
- Monitor for suspicious activity related to NLTK usage
- Restrict access to NLTK downloader functionality
- Perform regular vulnerability scans and updates
Evidence notes
The CVE-2025-14009 vulnerability was reported by security researchers and has been confirmed by the NVD. The vulnerability affects all versions of NLTK and has a CVSS score of 8.8, indicating a high severity. The vulnerability is caused by the lack of path validation and security checks in the _unzip_iter function of nltk/downloader.py.
Official resources
-
CVE-2025-14009 CVE record
CVE.org
-
CVE-2025-14009 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.