FixVibe

// code / spotlight

NLTK Zip Slip Code Execution Advisory

A vulnerable NLTK downloader can turn compromised package archives into filesystem writes and code-execution risk.

Der Köder

NLTK data downloads often run during bootstrap, notebooks, CI, model preparation, or worker startup. A vulnerable downloader dependency matters when those paths can pull malicious or compromised package archives, but a repository dependency match is still version evidence rather than proof of runtime code execution.

So funktioniert's

The repo check looks for the PyPI `nltk` package in Python dependency manifests and lockfiles. Exact lockfile pins produce the strongest signal; broader manifest ranges are reported when they clearly allow versions before 3.9.3.

Die Auswirkungen

If an affected NLTK runtime downloads and extracts a malicious or compromised data package, archive entries may write outside the intended directory and later execute when imported. A repo match should drive dependency remediation and downloader-path review before anyone treats the issue as confirmed runtime compromise.

// was fixvibe prüft

Was FixVibe prüft

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Wasserdichte Verteidigung

Upgrade `nltk` to 3.9.3 or newer, regenerate the active Python lockfile, and rebuild every runtime, CI job, worker, notebook, or image that can call NLTK downloader code. Review `nltk.download()` and custom NLTK data mirror/cache usage so package sources stay trusted, then verify with dependency-tree and benign application tests.

// lass es auf deiner eigenen App laufen

Ship weiter, während FixVibe mitwacht.

FixVibe testet die öffentliche Oberfläche deiner App so unter Druck, wie ein Angreifer es tun würde — ohne Agent, ohne Installation, ohne Karte. Wir recherchieren laufend neue Schwachstellenmuster und machen daraus praktische Checks und kopierfertige Fixes für Cursor, Claude und Copilot.

Quellcode
116
Tests in dieser Kategorie
Module
76
dedizierte quellcode-Prüfungen
pro Scan
487+
Tests über alle Kategorien
  • Kostenlos — keine Karte, keine Installation, kein Slack-Ping
  • Einfach URL einfügen — wir crawlen, prüfen und reporten
  • Findings nach Schweregrad sortiert, auf Signal dedupliziert
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Kostenlosen Scan starten

// aktuelle Checks · praktische Fixes · mit Vertrauen shippen

NLTK Zip Slip Code Execution Advisory — Vulnerability-Spotlight | FixVibe · FixVibe