NLTK
CVE-2026-0847
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 17 pypi packages depend on nltk (15 direct, 2 indirect)
Ecosystem-wide dependent count for version 3.9.2.
DescriptionNVD
A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and BracketParseCorpusReader. These classes fail to properly sanitize or validate file paths, enabling attackers to traverse directories and access sensitive files on the server. This issue is particularly critical in scenarios where user-controlled file inputs are processed, such as in machine learning APIs, chatbots, or NLP pipelines. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including system files, SSH private keys, and API tokens, and may potentially escalate to remote code execution when combined with other vulnerabilities.
AnalysisAI
Path traversal in NLTK (Natural Language Toolkit) versions ≤3.9.2 allows remote unauthenticated attackers to read arbitrary files from the server hosting NLP applications. Multiple CorpusReader classes (WordListCorpusReader, TaggedCorpusReader, BracketParseCorpusReader) fail to sanitize file paths, enabling directory traversal to access sensitive files including SSH keys, API tokens, and system configurations. This poses critical risk in machine learning APIs, chatbots, and NLP pipelines that process user-controlled file inputs. EPSS score of 0.25% (48th percentile) suggests low widespread exploitation probability despite public disclosure via huntr.com bounty, though the unauthenticated network vector (AV:N/PR:N) and zero attack complexity make this readily exploitable once targets are identified.
Technical ContextAI
NLTK (Natural Language Toolkit) is a widely-used Python library for natural language processing and computational linguistics. The vulnerability affects CorpusReader classes responsible for loading and parsing linguistic corpora from the filesystem. The root cause (CWE-22: Improper Limitation of a Pathname to a Restricted Directory) stems from inadequate validation of file path parameters passed to these reader classes. Attackers can inject path traversal sequences (e.g., '../../../etc/passwd') in filenames or corpus identifiers, bypassing intended directory restrictions. The affected component cpe:2.3:a:nltk:nltk operates in many production environments as a backend service for text analysis, sentiment analysis, tokenization, and machine learning model preprocessing, making file system access controls critical. The vulnerability exists in core data loading functions that directly interact with the operating system's file API without canonicalization or jail restrictions.
RemediationAI
Upgrade NLTK to version 3.9.3 or later where vendor patch is available (exact patched version should be confirmed from https://huntr.com/bounties/fc69914f-36a9-4c18-8503-10013b39f966 or official NLTK release notes). As immediate mitigation for systems that cannot upgrade, implement application-layer input validation to reject file paths containing traversal sequences ('..' components, absolute paths, symbolic links) before passing to CorpusReader classes - use allowlist validation restricting corpus names to alphanumeric identifiers mapped server-side to absolute paths. Deploy filesystem-level controls such as chroot jails, containers with read-only mounts, or AppArmor/SELinux policies restricting NLTK process file access to designated corpus directories only. Note that input filtering alone may be bypassed via encoding variations (URL encoding, Unicode normalization) so defense-in-depth with OS-level restrictions is essential. Monitor file access logs for unusual patterns indicating traversal attempts. If NLTK functionality is exposed via web APIs, ensure the API gateway enforces strict schema validation on corpus identifiers. Review application architecture to eliminate scenarios where user input directly controls file path parameters to NLTK functions.
Arbitrary code execution in the NLTK (Natural Language Toolkit) Python library affects all versions through its data dow
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research a
nltk is vulnerable to Inefficient Regular Expression Complexity. Rated high severity (CVSS 7.5), this vulnerability is r
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a .
Unsafe path handling in NLTK's filestring() function enables attackers to read arbitrary files on affected iOS and AI/ML
Same weakness CWE-22 – Path Traversal
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-68j8-pq59-fqgm