Vulnerability Description
A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nltk | Nltk | < 3.9.3 |
Related Weaknesses (CWE)
References
- https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4ExploitThird Party Advisory
- https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4ExploitThird Party Advisory
FAQ
What is CVE-2025-14009?
CVE-2025-14009 is a vulnerability with a CVSS score of 10.0 (CRITICAL). A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path ...
How severe is CVE-2025-14009?
CVE-2025-14009 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-14009?
Check the references section above for vendor advisories and patch information. Affected products include: Nltk Nltk.