ntlk unsafe deserialization vulnerability

GHSA-cgvx-9447-vcch · CVE-2024-39705 · PYSEC-2024-167

Published Jun 28, 2024 · Modified Feb 4, 2026

Description

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-39705
WEB https://github.com/nltk/nltk/issues/2522
WEB https://github.com/nltk/nltk/issues/3266
WEB https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
PACKAGE https://github.com/nltk/nltk
WEB https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
WEB https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes