Critical severity9.8NVD Advisory· Published Jun 27, 2024· Updated Apr 15, 2026
CVE-2024-39705
CVE-2024-39705
Description
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nltkPyPI | < 3.9 | 3.9 |
Patches
1441aecb7d330Update version to 3.8.2, add release notes
4 files changed · +18 −3
ChangeLog+8 −0 modified@@ -1,4 +1,12 @@ +Version 3.8.2 2024-08-09 +* Remove support for pickled models, resolves security vulnerability CVE-2024-39705 +* Many other minor fixes + +Thanks to the following contributors to 3.8.2: +Tom Aarsen, Cat Lee Ball, Veralara Bernhard, Carlos Brandt, Konstantin Chernyshev, Michael Higgins, +Eric Kafe, Vivek Kalyan, David Lukes, Rob Malouf, purificant, Alex Rudnick, Liling Tan, Akihiro Yamazaki. + Version 3.8.1 2023-01-02 * Resolve RCE vulnerability in localhost WordNet Browser (#3100)
nltk/VERSION+1 −1 modified@@ -1 +1 @@ -3.8.1 +3.8.2
web/conf.py+2 −2 modified@@ -126,9 +126,9 @@ def generate_custom_files(): # built documents. # # The short X.Y version. -version = "3.8.1" +version = "3.8.2" # The full version, including alpha/beta/rc tags. -release = "3.8.1" +release = "3.8.2" # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.
web/news.rst+7 −0 modified@@ -1,6 +1,13 @@ Release Notes ============= +2024 +---- + +NLTK 3.8.2 release: August 2024: +- Remove support for pickled models, resolves security vulnerability CVE-2024-39705 +- Many other minor fixes + 2023 ----
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-cgvx-9447-vcchghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-39705ghsaADVISORY
- github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2ghsaWEB
- github.com/nltk/nltk/issues/2522nvdWEB
- github.com/nltk/nltk/issues/3266nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yamlghsaWEB
- www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706nvdWEB
News mentions
0No linked articles in our index yet.