Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jZ3Z4LTk0NDctdmNjaM4AA9aK

ntlk unsafe deserialization vulnerability

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

Permalink: https://github.com/advisories/GHSA-cgvx-9447-vcch
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZ3Z4LTk0NDctdmNjaM4AA9aK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 20 days ago
Updated: 12 days ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Identifiers: GHSA-cgvx-9447-vcch, CVE-2024-39705
References: Repository: https://github.com/nltk/nltk
Blast Radius: 35.7

Affected Packages

pypi:nltk
Dependent packages: 1,440
Dependent repositories: 57,572
Downloads: 16,074,191 last month
Affected Version Ranges: <= 3.8.1
No known fixed version
All affected versions: 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.8.1