CVE-2021-3828: NLTK Vulnerable to REDoS

September 29, 2021 (updated October 7, 2024)

The nltk package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide as an input to the [_read_comparison_block()(https://github.com/nltk/nltk/blob/23f4b1c4b4006b0cb3ec278e801029557cec4e82/nltk/corpus/reader/comparative_sents.py#L259) function in the file nltk/corpus/reader/comparative_sents.py may cause an application to consume an excessive amount of CPU.

References

github.com/advisories/GHSA-2ww3-fxvq-293j
github.com/nltk/nltk
github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6
github.com/nltk/nltk/pull/2816
github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml
huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32
nvd.nist.gov/vuln/detail/CVE-2021-3828

Detect and mitigate CVE-2021-3828 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →