Python/nltk/2.0.3


Natural Language Toolkit

https://pypi.org/project/nltk
Apache-2.0

5 Security Vulnerabilities

NLTK Vulnerable to REDoS

Published date: 2021-09-29T17:14:53Z
CVE: CVE-2021-3828
Links:

The nltk package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide as an input to the [_read_comparison_block()(https://github.com/nltk/nltk/blob/23f4b1c4b4006b0cb3ec278e801029557cec4e82/nltk/corpus/reader/comparative_sents.py#L259) function in the file nltk/corpus/reader/comparative_sents.py may cause an application to consume an excessive amount of CPU.

Affected versions: ["0.8", "0.9", "0.9.3", "0.9.4", "0.9.5", "0.9.6", "0.9.7", "0.9.8", "0.9.9", "2.0.1", "2.0.1rc1", "2.0.1rc2-git", "2.0.1rc3", "2.0.1rc4", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0b4", "2.0b5", "2.0b6", "2.0b7", "2.0b8", "2.0b9", "3.0.0", "3.0.0b1", "3.0.0b2", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.3", "3.4", "3.4.1", "3.4.2", "3.4.3", "3.4.4", "3.4.5", "3.5", "3.5b1", "3.6", "3.6.1", "3.6.2", "3.6.3"]
Secure versions: [3.9, 3.9.1]
Recommendation: Update to version 3.9.1.

ntlk unsafe deserialization vulnerability

Published date: 2024-06-28T00:33:31Z
CVE: CVE-2024-39705
Links:

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averagedperceptrontagger and punkt.

Affected versions: ["0.8", "0.9", "0.9.3", "0.9.4", "0.9.5", "0.9.6", "0.9.7", "0.9.8", "0.9.9", "2.0.1", "2.0.1rc1", "2.0.1rc2-git", "2.0.1rc3", "2.0.1rc4", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0b4", "2.0b5", "2.0b6", "2.0b7", "2.0b8", "2.0b9", "3.0.0", "3.0.0b1", "3.0.0b2", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.3", "3.4", "3.4.1", "3.4.2", "3.4.3", "3.4.4", "3.4.5", "3.5", "3.5b1", "3.6", "3.6.1", "3.6.2", "3.6.3", "3.6.4", "3.6.5", "3.6.6", "3.6.7", "3.7", "3.8", "3.8.1", "3.8.2", "3.9b1"]
Secure versions: [3.9, 3.9.1]
Recommendation: Update to version 3.9.1.

Inefficient Regular Expression Complexity in nltk (word_tokenize, sent_tokenize)

Published date: 2022-01-06T17:38:45Z
CVE: CVE-2021-43854
Links:

Impact

The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to a Regular Expression Denial of Service (ReDoS) attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. The effect of this vulnerability is noticeable with the following example: ```python from nltk.tokenize import word_tokenize

n = 8 for length in [10**i for i in range(2, n)]: # Prepare a malicious input text = a * length startt = time.time() # Call `wordtokenizeand naively measure the execution time word_tokenize(text) print(f"A length of {length:<{n}} takes {time.time() - start_t:.4f}s") Which gave the following output during testing: python A length of 100 takes 0.0060s A length of 1000 takes 0.0060s A length of 10000 takes 0.6320s A length of 100000 takes 56.3322s ... `` I canceled the execution of the program after running it for several hours.

If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability, or applying the workaround described below.

Patches

The problem has been patched in NLTK 3.6.6. After the fix, running the above program gives the following result: python A length of 100 takes 0.0070s A length of 1000 takes 0.0010s A length of 10000 takes 0.0060s A length of 100000 takes 0.0400s A length of 1000000 takes 0.3520s A length of 10000000 takes 3.4641s This output shows a linear relationship in execution time versus input length, which is desirable for regular expressions. We recommend updating to NLTK 3.6.6+ if possible.

Workarounds

The execution time of the vulnerable functions is exponential to the length of a malicious input. With other words, the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.

References

For more information

If you have any questions or comments about this advisory: * Open an issue in github.com/nltk/nltk * Email us at nltk.team@gmail.com

Affected versions: ["0.8", "0.9", "0.9.3", "0.9.4", "0.9.5", "0.9.6", "0.9.7", "0.9.8", "0.9.9", "2.0.1", "2.0.1rc1", "2.0.1rc2-git", "2.0.1rc3", "2.0.1rc4", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0b4", "2.0b5", "2.0b6", "2.0b7", "2.0b8", "2.0b9", "3.0.0", "3.0.0b1", "3.0.0b2", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.3", "3.4", "3.4.1", "3.4.2", "3.4.3", "3.4.4", "3.4.5", "3.5", "3.5b1", "3.6", "3.6.1", "3.6.2", "3.6.3", "3.6.4", "3.6.5"]
Secure versions: [3.9, 3.9.1]
Recommendation: Update to version 3.9.1.

NLTK Vulnerable To Path Traversal

Published date: 2019-08-23T21:53:51Z
CVE: CVE-2019-14751
Links:

NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.

Affected versions: ["0.8", "0.9", "0.9.3", "0.9.4", "0.9.5", "0.9.6", "0.9.7", "0.9.8", "0.9.9", "2.0.1", "2.0.1rc1", "2.0.1rc2-git", "2.0.1rc3", "2.0.1rc4", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0b4", "2.0b5", "2.0b6", "2.0b7", "2.0b8", "2.0b9", "3.0.0", "3.0.0b1", "3.0.0b2", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.3", "3.4", "3.4.1", "3.4.2", "3.4.3", "3.4.4"]
Secure versions: [3.9, 3.9.1]
Recommendation: Update to version 3.9.1.

NLTK Vulnerable to REDoS

Published date: 2022-01-06T22:24:14Z
CVE: CVE-2021-3842
Links:

NLTK is vulnerable to REDoS in some RegexpTaggers used in the functions get_pos_tagger and malt_regex_tagger.

Affected versions: ["0.8", "0.9", "0.9.3", "0.9.4", "0.9.5", "0.9.6", "0.9.7", "0.9.8", "0.9.9", "2.0.1", "2.0.1rc1", "2.0.1rc2-git", "2.0.1rc3", "2.0.1rc4", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0b4", "2.0b5", "2.0b6", "2.0b7", "2.0b8", "2.0b9", "3.0.0", "3.0.0b1", "3.0.0b2", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.5", "3.1", "3.2", "3.2.1", "3.2.2", "3.2.3", "3.2.4", "3.2.5", "3.3", "3.4", "3.4.1", "3.4.2", "3.4.3", "3.4.4", "3.4.5", "3.5", "3.5b1", "3.6", "3.6.1", "3.6.2", "3.6.3", "3.6.4", "3.6.5"]
Secure versions: [3.9, 3.9.1]
Recommendation: Update to version 3.9.1.

63 Other Versions

Version License Security Released
3.9.1 Apache-2.0
3.9 Apache-2.0
3.8.2 Apache-2.0 1
3.8.1 Apache-2.0 1
3.8 Apache-2.0 1
3.7 Apache-2.0 1 2022-02-09 - 12:40 over 2 years
3.6.7 Apache-2.0 1 2021-12-28 - 23:28 almost 3 years
3.6.6 Apache-2.0 1 2021-12-21 - 02:16 almost 3 years
3.6.5 Apache-2.0 3 2021-10-11 - 03:49 about 3 years
3.6.4 Apache-2.0 3 2021-10-01 - 01:58 about 3 years
3.6.3 Apache-2.0 4 2021-09-20 - 06:00 about 3 years
3.6.2 Apache-2.0 4 2021-04-20 - 07:42 over 3 years
3.6.1 Apache-2.0 4 2021-04-07 - 21:36 over 3 years
3.6 Apache-2.0 4 2021-04-07 - 10:49 over 3 years
3.5 Apache-2.0 4 2020-04-12 - 23:46 over 4 years
3.4.5 Apache-2.0 4 2019-08-20 - 10:55 about 5 years
3.4.4 Apache-2.0 5 2019-07-04 - 11:09 over 5 years
3.4.3 Apache-2.0 5 2019-06-06 - 17:52 over 5 years
3.4.2 Apache-2.0 5 2019-06-06 - 04:02 over 5 years
3.4.1 Apache-2.0 5 2019-04-17 - 10:48 over 5 years
3.4 Apache-2.0 5 2018-11-17 - 08:04 almost 6 years
3.3 Apache-2.0 5 2018-05-06 - 02:27 over 6 years
3.2.5 Apache-2.0 5 2017-09-24 - 11:36 about 7 years
3.2.4 Apache-2.0 5 2017-05-20 - 22:49 over 7 years
3.2.3 Apache-2.0 5 2017-05-17 - 20:59 over 7 years
3.2.2 Apache-2.0 5 2016-12-31 - 21:47 almost 8 years
3.2.1 Apache-2.0 5 2016-04-09 - 10:06 over 8 years
3.2 Apache-2.0 5 2016-03-03 - 01:12 over 8 years
3.1 Apache-2.0 5 2015-10-15 - 19:51 about 9 years
3.0.5 Apache-2.0 5 2015-09-06 - 02:51 about 9 years
3.0.4 Apache-2.0 5 2015-07-13 - 01:39 over 9 years
3.0.3 Apache-2.0 5 2015-06-11 - 10:59 over 9 years
3.0.2 Apache-2.0 5 2015-03-13 - 03:43 over 9 years
3.0.1 Apache-2.0 5 2015-01-12 - 23:11 almost 10 years
3.0.0 Apache-2.0 5 2015-01-12 - 00:24 almost 10 years
3.0.0b2 Apache-2.0 5 2014-08-26 - 00:56 about 10 years
3.0.0b1 Apache-2.0 5 2014-07-11 - 13:32 over 10 years
2.0.5 Apache-2.0 5 2015-01-12 - 22:55 almost 10 years
2.0.4 Apache-2.0 5 2015-01-12 - 22:58 almost 10 years
2.0.3 Apache-2.0 5 2012-09-24 - 09:34 about 12 years
2.0.2 Apache-2.0 5 2012-07-05 - 12:08 over 12 years
2.0.1 Apache-2.0 5 2012-05-15 - 04:29 over 12 years
2.0.1rc4 Apache-2.0 5 2012-02-10 - 00:01 over 12 years
2.0.1rc3 Apache-2.0 5 2012-01-07 - 06:41 almost 13 years
2.0.1rc1 Apache-2.0 5 2011-04-11 - 08:04 over 13 years
2.0.1rc2-git Apache-2.0 5 2011-12-01 - 04:45 almost 13 years
0.9.9 GPL 5
0.9.8 GPL 5
0.9.7 GPL 5
0.9.6 GPL 5
0.9.5 GPL 5
0.9.4 GPL 5
0.9.3 GPL 5
0.9 GPL 5
0.8 GPL 5
2.0b7 Apache-2.0 5 2009-11-09 - 14:20 almost 15 years
2.0b6 Apache-2.0 5 2009-09-25 - 10:31 about 15 years
2.0b8 Apache-2.0 5 2010-03-10 - 20:30 over 14 years
2.0b4 Apache-2.0 5 2009-07-15 - 09:32 over 15 years
2.0b5 Apache-2.0 5 2009-07-19 - 10:20 over 15 years
2.0b9 Apache-2.0 5 2010-08-23 - 07:46 about 14 years
3.5b1 Apache-2.0 4 2020-03-08 - 00:48 over 4 years
3.9b1 Apache-2.0 1