CVE-2024-39705: ntlk unsafe deserialization vulnerability
(updated )
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
References
- github.com/advisories/GHSA-cgvx-9447-vcch
- github.com/nltk/nltk
- github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2
- github.com/nltk/nltk/issues/2522
- github.com/nltk/nltk/issues/3266
- github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-39705
- www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706
Detect and mitigate CVE-2024-39705 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →