—

PYSEC-2024-167

Details

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / nltk

Introduced in: 0 Fixed in: 3.9

Fix pip install --upgrade 'nltk>=3.9'

References

https://github.com/nltk/nltk/issues/2522 [REPORT]
https://github.com/nltk/nltk/issues/3266 [REPORT]
https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706 [WEB]