CVE-2025-14009 — Vulnetix

Try Vulnetix Request Demo

CVE-2025-14009 PUBLISHED CVSS 10 CRITICAL

A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

EPSS 0.62% · 69.9th percentile

Risk Scores

CVSS v3.0

10

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.62%

69.9th percentile

Affected Products

Vendor	Product	Versions
nltk	nltk	0, 0
nltk	nltk/nltk	unspecified, unspecified
PyPI	nltk	0, 0

Timeline

Feb 18, 2026 CVE Published
Feb 18, 2026 PoC Published
Feb 18, 2026 PoC Published
Feb 19, 2026 EPSS Score
Feb 20, 2026 EPSS Score
Feb 21, 2026 EPSS Score
Feb 23, 2026 EPSS Score
Feb 24, 2026 EPSS Score
Feb 25, 2026 CVE Updated
Feb 25, 2026 EPSS Score
Feb 26, 2026 EPSS Score
Feb 27, 2026 EPSS Score

References

Open in Interactive Console →