Outdated nltk dependency contains CVE-2025-14009

[MonkeyCanCode]

Hello,

I noticed we are pinned the following for nltk version which has CVE-2025-14009:

nltk = { version = "3.9.1", optional = true }

Is there a plan to update this to a newer version?

Thanks,
Yong

---

Internal Tracking: https://github.com/airbytehq/oncall/issues/11795

[devin-ai-integration]

Hi Yong Zheng (@MonkeyCanCode), thank you for reporting this issue!

You are correct that nltk is currently pinned at 3.9.1 in the Airbyte Python CDK, which is affected by CVE-2025-14009 — a critical (CVSS 10.0) Zip Slip vulnerability in the NLTK downloader component. The fix is available in nltk version 3.9.3.

Good news — this is already being actively addressed:

• A fix PR has been opened to bump nltk from 3.9.1 to 3.9.3: fix(deps): bump nltk from 3.9.1 to 3.9.3 to address CVE-2025-14009 #964
• This is tracked internally and the fix will propagate to all affected connectors once the CDK release is published.

Practical risk context: While the CVSS score is 10.0, the actual risk to Airbyte users is low in practice. The vulnerability is in the nltk.download() code path, which downloads data from the official NLTK data server inside isolated connector containers. Exploitation would require serving a malicious NLTK data package, which is unlikely in the Airbyte runtime environment. That said, the version bump is important for security compliance and scanning.

This issue is being tracked internally: https://github.com/airbytehq/oncall/issues/11795

---

Need more help? Join Airbyte Community Slack for peer support, or if you're a Cloud customer, open a support ticket referencing this URL.