Skip to content

fix(security): patch CVE-2025-14009 (nltk) — main (3.x)#3

Open
joerattazzi-microsoft wants to merge 1 commit intomainfrom
security/nltk-cve-2025-14009-main
Open

fix(security): patch CVE-2025-14009 (nltk) — main (3.x)#3
joerattazzi-microsoft wants to merge 1 commit intomainfrom
security/nltk-cve-2025-14009-main

Conversation

@joerattazzi-microsoft
Copy link
Copy Markdown
Owner

@joerattazzi-microsoft joerattazzi-microsoft commented Mar 23, 2026

Security Patch: CVE-2025-14009

Vulnerability: CVE-2025-14009 — path traversal and arbitrary ZIP extraction in nltk.downloader

Affected version: nltk 3.9.1 (pinned in this codebase)

Fix: Bump nltk minimum version to 3.9.3 which includes:

  • Secure ZIP extraction in nltk.downloader (#3468)
  • Block path traversal/arbitrary reads in nltk.data for protocol-less refs (#3467)
  • Block path traversal/abs paths in corpus readers and FS pointers (#3479, #3480)
  • Validate external StanfordSegmenter JARs using SHA256 (#3477)

References:

@joerattazzi-microsoft
fix(security): bump nltk to >=3.9.3,<4.0.0 to remediate CVE-2025-14009
c375f6a 
Updates nltk from the vulnerable 3.9.1 pin to >=3.9.3,<4.0.0.
CVE-2025-14009 is fixed in 3.9.3.
@joerattazzi-microsoft joerattazzi-microsoft force-pushed the security/nltk-cve-2025-14009-main branch from 5db1b85 to c375f6a Compare March 23, 2026 23:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joerattazzi-microsoft