FixVibe
Gedeckt durch FixVibecritical

Arbitrary Code Execution in NLTK via Zip Slip (CVE-2025-14009)

NLTK versions through 3.9.2 are associated with CVE-2025-14009, a downloader Zip Slip advisory that can lead to arbitrary code execution when malicious or compromised packages are extracted. Upgrade to 3.9.3 or newer.

CVE-2025-14009GHSA-7p94-766c-hgjpPYSEC-2026-96CWE-94CWE-22

Impact

CVE-2025-14009 is an NLTK downloader Zip Slip advisory. GitHub, NVD, and OSV describe affected NLTK versions where archive extraction in the downloader could write files outside the intended directory and may lead to arbitrary code execution when a malicious or compromised package is downloaded and extracted [S1, S2, S3].

Root Cause

The vulnerable path is in NLTK's downloader archive extraction. GitHub's reviewed advisory lists the PyPI package nltk as affected through 3.9.2 and patched in 3.9.3 [S1]. NVD records the NLTK product family as affected up to, but excluding, 3.9.3 and carries the CNA critical CVSS vector for this issue [S2]. OSV/PyPA lists nltk with an introduced baseline of all previous versions and a fixed event at 3.9.3 [S3].

Covered by FixVibe

FixVibe covers this in authorized GitHub repo scans by reporting Python dependency evidence for NLTK versions associated with CVE-2025-14009. The finding is a version-based advisory: FixVibe does not run Python or NLTK, call nltk.download(), download or extract packages, create malicious archives, inspect NLTK data mirrors or caches, prove arbitrary file write or code execution, or confirm that the affected dependency is the production runtime.

Remediation

Upgrade nltk to 3.9.3 or newer [S1, S2, S3]. Regenerate the active lockfile, rebuild deployed virtualenvs, images, jobs, notebooks, and workers, and verify the runtime version with pip show nltk, poetry show nltk, or python -c "import nltk; print(nltk.__version__)". Review code paths that call nltk.download() or use custom NLTK data package mirrors or caches so they only pull trusted packages. Use normal dependency-tree and application smoke tests; do not use malicious archive extraction or code-execution proof tests as routine remediation verification.

Arbitrary Code Execution in NLTK via Zip Slip (CVE-2025-14009) — FixVibe research · FixVibe