Skip to content

Commit 56c5499

Browse files
a-klosrenovate-bot
a-klos
and
renovate-bot
authored
chore(deps): update dependency nltk to v3.9.3 [security] (#281)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [nltk](https://www.nltk.org/) ([source](https://redirect.github.com/nltk/nltk)) | `3.9.2` -> `3.9.3` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/nltk/3.9.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/nltk/3.9.2/3.9.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-14009](https://nvd.nist.gov/vuln/detail/CVE-2025-14009) A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms. --- ### Release Notes <details> <summary>nltk/nltk (nltk)</summary> ### [`v3.9.3`](https://redirect.github.com/nltk/nltk/compare/3.9.2...3.9.3) [Compare Source](https://redirect.github.com/nltk/nltk/compare/3.9.2...3.9.3) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJweXRob24iLCJyZW5vdmF0ZSJdfQ==--> Co-authored-by: Renovate Bot <renovate@whitesourcesoftware.com>
1 parent 55fa65f commit 56c5499

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

libs/admin-api-lib/poetry.lock

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)