nltk@3.6.4 vulnerabilities

Natural Language Toolkit

Direct Vulnerabilities

Known vulnerabilities in the nltk package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Remote Code Execution (RCE)

nltk is a Natural Language Toolkit (NLTK) is a Python package for natural language processing.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) through the integrated data package download functionality. An attacker with control over the NLTK data index can execute arbitrary code by supplying pickled Python code within untrusted packages and trick a user into loading the malicious pickle.

Some packages found to be vulnerable if compromised are averaged_perceptron_tagger, punkt, maxent_ne_chunker, help/tagsets, and maxent_treebank_pos_tagger.

How to fix Remote Code Execution (RCE)?

Upgrade nltk to version 3.8.2 or higher.

[0,3.8.2)
  • H
Remote Code Execution (RCE)

nltk is a Natural Language Toolkit (NLTK) is a Python package for natural language processing.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) in the local WordNet browser. When a user opens a malicious link while the WordNet browser is active, it can result in the exploitation of this vulnerability on their system.

How to fix Remote Code Execution (RCE)?

Upgrade nltk to version 3.8.1 or higher.

[,3.8.1)
  • M
Cross-site Scripting (XSS)

nltk is a Natural Language Toolkit (NLTK) is a Python package for natural language processing.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the local Wordnet browser via the MyServerHandler class. Exploiting this vulnerability is possible by creating a maliciously crafted URL.

Note: This only affects users of this browser interface to Wordnet, and not other users of Wordnet.

How to fix Cross-site Scripting (XSS)?

Upgrade nltk to version 3.8.1 or higher.

[,3.8.1)
  • M
Regular Expression Denial of Service (ReDoS)

nltk is a Natural Language Toolkit (NLTK) is a Python package for natural language processing.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the RegexpTagger method.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade nltk to version 3.6.6 or higher.

[0,3.6.6)
  • H
Regular Expression Denial of Service (ReDoS)

nltk is a Natural Language Toolkit (NLTK) is a Python package for natural language processing.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via word_tokenize() in nltk/tokenize/punkt.py.

PoC

from nltk.tokenize import word_tokenize
import nltk
nltk.download('punkt')
import time

for length in [1000*2**n for n in range(1000)]:
    text = "a" * length
    start_t = time.time()
    word_tokenize(text)
    print(f"payload length: {length} takes {time.time()-start_t}s")

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade nltk to version 3.6.6 or higher.

[0,3.6.6)