CVE-2025-14009
A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.
EPSS 0.88% · 75.7th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| nltk | nltk | 0, 0 |
| nltk | nltk/nltk | *, unspecified |
| PyPI | nltk | 0, 0 |
Exploit Intelligence
- CIRCL seen: CVE-2025-14009 (circl-sighting)
- CIRCL seen: CVE-2025-14009 (circl-sighting)
- https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4 (cve.org)
- hook_executor.py (github-poc)
- hook_executor.py (github-poc)
- hook_executor.py (github-poc)
- hook_executor.py (github-poc)
- hook_executor.py (github-poc)
- hook_executor.py (github-poc)
- hook_executor.py (github-poc)
…and 9 more exploits
Timeline
- Feb 18, 2026 CVE Published
- Feb 18, 2026 PoC Published
- Feb 18, 2026 PoC Published
- Feb 19, 2026 EPSS Score
- Feb 21, 2026 EPSS Score
- Feb 22, 2026 EPSS Score
- Feb 24, 2026 EPSS Score
- Feb 25, 2026 CVE Updated
- Feb 26, 2026 EPSS Score
- Feb 28, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 3, 2026 EPSS Score
References
- https://huntr.com/bounties/49ecbc02-054e-4470-b2e0-b267936cc4e4 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-14009 advisory
- https://github.com/nltk/nltk/pull/3468 url
- https://github.com/nltk/nltk/commit/1056b323af6462455571302e766b67cf300aea18 url
- https://github.com/nltk/nltk package
- https://github.com/nltk/nltk/blob/4154eb85e832f266660a09286c7e37e308292284/ChangeLog#L1 url
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37451 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37445 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37460 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37449 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37450 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37466 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37468 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37444 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37461 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37459 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37446 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37465 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37448 advisory
- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37447 advisory
…and 15 more