【OCS】【漏洞修复】CVE-2025-14009：python-nltk高危漏洞

**【软件包名】**
python-nltk

**【CVE ID】**
CVE-2025-14009

**【漏洞评级】**
High

**【评分向量】**
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**【CWE ID】**
CWE-94

**【漏洞描述】**
A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

**【安全评估】**
NLTK的nltk/nltk组件的下载器部分存在严重漏洞，影响所有版本。nltk/downloader.py中的_unzip_iter函数使用zipfile.extractall()时未进行路径验证或安全检查。攻击者可构造恶意zip文件，当NLTK下载并解压该文件时，可执行任意代码。漏洞根源在于NLTK假设所有下载的包均可信且未验证即解压。若恶意包包含Python文件（如__init__.py），这些文件在导入时会自动执行，导致远程代码执行。此问题可能造成系统完全沦陷，包括文件系统访问、网络访问及潜在持久化机制。

当前发行版的python-nltk版本为3.8.1，POC验证报：Vulnerability confirmed: NLTK extractall() allows RCE，受影响需修复。

可以通过升级到3.9.3版本修复该CVE

**【参考链接】**
修复提交：https://github.com/nltk/nltk/pull/3468

OpenCloudOS Stream/python-nltk

内容风险标识

评论 (16)

OpenCloudOS Stream/python-nltk .gitee-modal { width: 500px !important; }

内容风险标识