2440724 – (CVE-2025-14009) CVE-2025-14009 nltk: Zip Slip Vulnerability in nltk Leading to Code Execution

Bug 2440724 (CVE-2025-14009) - CVE-2025-14009 nltk: Zip Slip Vulnerability in nltk Leading to Code Execution

Summary: CVE-2025-14009 nltk: Zip Slip Vulnerability in nltk Leading to Code Execution

Keywords:
Status:	NEW
Alias:	CVE-2025-14009
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2440819 2440820 2440821
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-18 19:03 UTC by OSIDB Bzimport
Modified:	2026-02-18 23:26 UTC (History)
CC List:	22 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-18 19:03:51 UTC

A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

Note You need to log in before you can comment on or make changes to this bug.

anpicker
bparees
ebourniv
hasun
jfula
jkoehler
jmitchel
jowilson
jwong
kshier
lgallett
lphiri
nyancey
omaciel
ometelka
pbohmill
ptisnovs
sbunciak
syedriko
teagle
ttakamiy
xdharmai