ByteOS Network

NVD Vulnerability Details :

CVE-2025-14009

Received

Source-security@huntr.dev

Published At-18 Feb, 2026 | 18:24

Updated At-18 Feb, 2026 | 20:18

A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.0	10.0	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Type: Secondary

Version: 3.0

Base score: 10.0

Base severity: CRITICAL

Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CWE ID	Type	Source
CWE-94	Secondary	security@huntr.dev

CWE ID: CWE-94

Type: Secondary

Source: security@huntr.dev

References

Hyperlink	Source	Resource
https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4	security@huntr.dev	N/A
https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A

Hyperlink: https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4

Source: security@huntr.dev

Resource: N/A

Hyperlink: https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History