CVE-2024-39705: ntlk unsafe deserialization vulnerability

June 28, 2024

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

References

github.com/advisories/GHSA-cgvx-9447-vcch
github.com/nltk/nltk
github.com/nltk/nltk/issues/2522
github.com/nltk/nltk/issues/3266
nvd.nist.gov/vuln/detail/CVE-2024-39705

Detect and mitigate CVE-2024-39705 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →