CVE-2019-14751
Description
NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NLTK Downloader before 3.4.5 mishandles ZIP extraction, allowing directory traversal via crafted ZIP archives that write arbitrary files.
Root
Cause
The NLTK Downloader prior to version 3.4.5 is vulnerable to a directory traversal attack. The custom _unzip_iter() function in nltk/downloader.py does not properly sanitize file paths extracted from ZIP archives. By including ../ (dot dot slash) sequences in filenames within a malicious ZIP package, an attacker can cause files to be written outside the intended extraction directory [1][3].
Exploitation
An attacker must craft a ZIP archive containing filenames with directory traversal sequences. The NLTK Downloader, used for acquiring linguistic data packages, will process such an archive without validation. No authentication is required; the attack can be triggered by enticing a user to download a malicious NLTK package [2][3].
Impact
Successful exploitation allows arbitrary file write on the victim's system, possibly overwriting critical files (such as Python modules) to achieve code execution. The vulnerability is rated Critical (CVSS 9.8) due to the low attack complexity and network-based attack vector [1][2].
Mitigation
The vulnerability was patched in NLTK version 3.4.5. Users should upgrade to that version or later. No workaround is available; the changelog for 3.4.5 explicitly notes the fix for directory traversal [4]. The CVE is included in CISA's Known Exploited Vulnerabilities catalog, underscoring the need for immediate patching [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nltkPyPI | < 3.4.5 | 3.4.5 |
Affected products
5- NLTK/NLTK Downloaderdescription
- ghsa-coords4 versionspkg:pypi/nltkpkg:rpm/opensuse/python-nltk&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/python-nltk&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/python-nltk&distro=SUSE%20Package%20Hub%2015%20SP2
< 3.4.5+ 3 more
- (no CPE)range: < 3.4.5
- (no CPE)range: < 3.4.5-lp151.4.3.1
- (no CPE)range: < 3.4.5-bp151.4.3.1
- (no CPE)range: < 3.7-bp152.3.3.1
Patches
11 file changed · +1 −35
nltk/downloader.py+1 −35 modified@@ -2260,42 +2260,8 @@ def _unzip_iter(filename, root, verbose=True): yield ErrorMessage(filename, e) return - # Get lists of directories & files - namelist = zf.namelist() - dirlist = set() - for x in namelist: - if x.endswith('/'): - dirlist.add(x) - else: - dirlist.add(x.rsplit('/', 1)[0] + '/') - filelist = [x for x in namelist if not x.endswith('/')] - - # Create the target directory if it doesn't exist - if not os.path.exists(root): - os.mkdir(root) - - # Create the directory structure - for dirname in sorted(dirlist): - pieces = dirname[:-1].split('/') - for i in range(len(pieces)): - dirpath = os.path.join(root, *pieces[: i + 1]) - if not os.path.exists(dirpath): - os.mkdir(dirpath) - - # Extract files. - for i, filename in enumerate(filelist): - filepath = os.path.join(root, *filename.split('/')) - - try: - with open(filepath, 'wb') as dstfile, zf.open(filename) as srcfile: - shutil.copyfileobj(srcfile, dstfile) - except Exception as e: - yield ErrorMessage(filename, e) - return + zf.extractall(root) - if verbose and (i * 10 / len(filelist) > (i - 1) * 10 / len(filelist)): - sys.stdout.write('.') - sys.stdout.flush() if verbose: print()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- lists.opensuse.org/opensuse-security-announce/2020-03/msg00054.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-04/msg00001.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-mr7p-25v2-35wrghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3D/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SE/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-14751ghsaADVISORY
- github.com/nltk/nltk/blob/3.4.5/ChangeLogghsax_refsource_CONFIRMWEB
- github.com/nltk/nltk/commit/f59d7ed8df2e0e957f7f247fe218032abdbe9a10ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2019-106.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QI4IJGLZQ5S7C5LNRNROHAO2P526XE3DghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZGZSSEJH7RHH3RBUEVWWYT75QU67J7SEghsaWEB
- salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751ghsaWEB
- salvatoresecurity.com/zip-slip-in-nltk-cve-2019-14751/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.