PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-14009 nltk CVE debrief

A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution.

Vendor
nltk
Product
nltk/nltk
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-18
Original CVE updated
2026-06-30
Advisory published
2026-02-18
Advisory updated
2026-06-30

Who should care

This vulnerability should be of high concern to developers and users of the NLTK library, as it can lead to full system compromise, including file system access, network access, and potential persistence mechanisms. Organizations using NLTK in their applications or products should prioritize patching this vulnerability to prevent potential attacks.

Technical summary

The vulnerability is caused by the lack of path validation and security checks in the _unzip_iter function of nltk/downloader.py. This function uses zipfile.extractall() to extract downloaded packages without validation, allowing attackers to craft malicious zip packages that can execute arbitrary code when extracted. The vulnerability is particularly severe because NLTK assumes all downloaded packages are trusted, and malicious packages can contain Python files that are executed automatically upon import.

Defensive priority

High priority should be given to patching this vulnerability, as it can lead to remote code execution and full system compromise. Organizations should ensure that all instances of NLTK are updated to a patched version as soon as possible.

Recommended defensive actions

  • Update NLTK to a patched version
  • Implement additional security checks for downloaded packages
  • Monitor for suspicious activity related to NLTK usage
  • Restrict access to NLTK downloader functionality
  • Perform regular vulnerability scans and updates

Evidence notes

The CVE-2025-14009 vulnerability was reported by security researchers and has been confirmed by the NVD. The vulnerability affects all versions of NLTK and has a CVSS score of 8.8, indicating a high severity. The vulnerability is caused by the lack of path validation and security checks in the _unzip_iter function of nltk/downloader.py.

Official resources

This article is AI-assisted and based on the supplied source corpus.