CVE-2024-39705 – nltk

Package

Manager: pip
Name: nltk
Vulnerable Version: >=0 <3.9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.08245 pctl0.91897

Details

ntlk unsafe deserialization vulnerability NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

Metadata

Created: 2024-06-28T00:33:31Z
Modified: 2025-01-21T18:28:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-cgvx-9447-vcch/GHSA-cgvx-9447-vcch.json
CWE IDs: ["CWE-300", "CWE-502"]
Alternative ID: GHSA-cgvx-9447-vcch
Finding: F096
Auto approve: 1