NLTK, Code Injection, CVE-2025-14009 (Critical)

Listen to this Post

A critical vulnerability exists in the Natural Language Toolkit (NLTK) downloader component, affecting all versions prior to 3.9.3. The flaw resides in the `_unzip_iter` function within nltk/downloader.py, which uses the `zipfile.extractall()` method. This function extracts the contents of a zip archive without performing any validation on the paths of the files inside . This oversight allows a specially crafted, malicious zip package to perform a path traversal attack, also known as “Zip Slip” . When a user is tricked into downloading and extracting such a package using NLTK’s downloader, files can be written to arbitrary locations on the file system. The attack’s impact is magnified because NLTK assumes all downloaded data packages are trusted. If the malicious zip contains Python files (like __init__.py) that overwrite existing ones or are placed in a location where Python imports them, they will be executed automatically. This leads to arbitrary code execution, which can result in full system compromise, including unauthorized file system access, network access, and the installation of persistent backdoors .

dailycve form:

Platform: NLTK
Version: All versions
Vulnerability: Zip slip RCE
Severity: critical
date: 2026-02-18

Prediction: Patch available now

What Undercode Say:

Analytics:

The vulnerability, identified as a “Zip Slip” (CWE-94), is triggered through the network with low attack complexity . It requires no privileges or user interaction, and its scope is changed, meaning the vulnerable component impacts resources beyond its security scope . The CVSS score is a perfect 10.0, indicating the highest level of severity . The EPSS (Exploit Prediction Scoring System) score is approximately 0.4%, suggesting a moderate probability of exploitation in the wild . The vulnerability is present in all versions of NLTK up to and including 3.9.2, with the patch implemented in version 3.9.3 .

Bash commands and code:

Check installed NLTK version:

pip show nltk | grep Version

Update NLTK to the patched version:

pip install --upgrade nltk==3.9.3

For openSUSE systems, apply the security patch :

zypper in -t patch openSUSE-2026-57=1

Vulnerable code snippet in `nltk/downloader.py`:

def _unzip_iter(self, filename, root, verbose=True):
... (code)
with zipfile.ZipFile(filename, 'r') as zip:
Vulnerable line: no path validation
zip.extractall(root)
... (code)

How Exploit:

  1. Craft Malicious Zip: An attacker creates a zip archive containing a malicious Python file (e.g., __init__.py). The file inside the zip has a path traversal payload, such as ../../../../venv/lib/python3.x/site-packages/nltk/__init__.py.
  2. Host the Package: The attacker hosts this malicious zip file on a server, making it accessible via a URL. They might socially engineer a user to download it or compromise a legitimate package mirror.
  3. Trigger Download: The victim uses an NLTK function to download the malicious package, for example, nltk.download('malicious-package-name').
  4. Extraction and Overwrite: NLTK’s `_unzip_iter` function extracts the zip. Due to the lack of path validation, `zipfile.extractall()` writes the malicious `__init__.py` to the target `site-packages/nltk/` directory, overwriting the legitimate one.
  5. Code Execution: The next time the victim (or any process) imports the NLTK library (import nltk), Python automatically executes the attacker’s malicious `__init__.py` file, leading to remote code execution.

Protection from this CVE:

  • Immediate Update: The primary and most effective mitigation is to update NLTK to version 3.9.3 or later, which contains the fix for this vulnerability .
  • Input Validation: For developers who cannot update immediately, implement manual validation of all paths within a zip file before extraction. This involves iterating through the `namelist()` and checking for path components like `..` or absolute paths.
  • Use Safer Extraction: Consider using a safer extraction method that validates paths, such as:
    import zipfile
    import os
    def safe_extract(zip_file, target_dir):
    zip_file.extractall(target_dir) Still vulnerable on its own
    Better: Manual extraction with path check
    with zipfile.ZipFile(zip_file, 'r') as zip_ref:
    for member in zip_ref.namelist():
    Craft the full path safely
    member_path = os.path.join(target_dir, member)
    Resolve any symlinks or relative paths
    real_dest = os.path.realpath(member_path)
    real_target = os.path.realpath(target_dir)
    Check if the destination is within the target directory
    if not real_dest.startswith(real_target + os.sep):
    raise Exception("Path traversal attempt detected")
    Extract the file manually
    with zip_ref.open(member) as source, open(member_path, 'wb') as target:
    target.write(source.read())
    
  • Network Security: Employ network monitoring to detect and block connections to known malicious or unverified package repositories.

Impact:

The impact of CVE-2025-14009 is critical. Successful exploitation leads to arbitrary code execution with the privileges of the user running the Python script that imported NLTK . This can quickly escalate to full system compromise, granting an attacker the ability to:
– Read, modify, or delete sensitive files on the system.
– Install malware, ransomware, or backdoors for persistent access.
– Use the compromised machine as a pivot point to attack other systems on the network.
– Steal credentials, intellectual property, or other sensitive data.
– Cause a denial of service by crashing the application or system.
Given that NLTK is a widely used library in academic, data science, and research environments, the potential for supply chain-style attacks is significant.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top