Fluid Attacks Database

Description

ntlk unsafe deserialization vulnerability NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	nltk	>=0 <3.9	3.9
debian 11	nltk	=3.5-1 \|\| =3.6.5-1 \|\| =3.6.7-1 \|\| =3.7-1 \|\| =3.8-1 \|\| =3.8.1-1 \|\| =3.9.1-1 \|\| =3.9.1-2 \|\| =3.9.2-1 \|\| =3.9.3-1	-
debian 12	nltk	=3.8-1 \|\| =3.8.1-1 \|\| =3.9.1-1 \|\| =3.9.1-2 \|\| =3.9.2-1 \|\| =3.9.3-1	-
debian 13	nltk	>=0 <3.9.1-1	3.9.1-1
debian 14	nltk	>=0 <3.9.1-1	3.9.1-1

Aliases

1. CVE-2024-397052. NVD-2024-397053. OSV-2024-397054. OSV-DEBIAN-2024-397055. GCVE-2024-397056. SECURITY-TRACKER-CVE-2024-39705

References

1. https://github.com/nltk/nltk/issues/25222. https://github.com/nltk/nltk/issues/32663. https://github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba24. https://github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml5. https://www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.