GSA_kwCzR0hTQS0yd3czLWZ4dnEtMjkzas0WBQ

High CVSS: 8.7 EPSS: 0.00433% (0.61865 Percentile) EPSS:

Permalink JSON

NLTK Vulnerable to REDoS

Affected Packages	Affected Versions	Fixed Versions
pypi:nltk	< 3.6.4	3.6.4
1,440 Dependent packages 57,572 Dependent repositories 33,560,963 Downloads last month Affected Version Ranges All affected versions 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.6.1, 3.6.2, 3.6.3 All unaffected versions 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.8.1, 3.8.2, 3.9.1

The nltk package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide as an input to the [_read_comparison_block()(https://github.com/nltk/nltk/blob/23f4b1c4b4006b0cb3ec278e801029557cec4e82/nltk/corpus/reader/comparative_sents.py#L259) function in the file nltk/corpus/reader/comparative_sents.py may cause an application to consume an excessive amount of CPU.

References:

Identifiers

GHSA-2ww3-fxvq-293j

CVE-2021-3828

Risk

Severity

High

CVSS

CVSS Score: 8.7

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00433

EPSS Percentile: 0.61865

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/nltk/nltk

Date and time

Published

almost 4 years ago

Updated

10 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories