CVE-2025-14009

Name of the Vulnerable Software and Affected Versions nltk/nltk (affected versions not specified)

Description A critical issue exists in the NLTK downloader component. The unzip iter function within nltk/downloader.py utilizes zipfile.extractall() without validating file paths or implementing security checks. This allows attackers to create malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability occurs because NLTK trusts all downloaded packages and extracts them without validation. If a malicious package contains Python files, such as init .py, these files are automatically executed upon import, potentially leading to remote code execution and full system compromise, including file system access, network access, and potential persistence.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.