Critical severity9.8OSV Advisory· Published Jun 27, 2024· Updated Apr 15, 2026
CVE-2024-39705
CVE-2024-39705
Description
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nltkPyPI | < 3.9 | 3.9 |
Affected products
29- osv-coords28 versionspkg:apk/chainguard/apache-beam-python-3.11-sdkpkg:apk/chainguard/nemopkg:apk/chainguard/py3.10-nltkpkg:apk/chainguard/py3.10-nltk-binpkg:apk/chainguard/py3.11-nltkpkg:apk/chainguard/py3.11-nltk-binpkg:apk/chainguard/py3.12-nltkpkg:apk/chainguard/py3.12-nltk-binpkg:apk/chainguard/py3.13-nltkpkg:apk/chainguard/py3.13-nltk-binpkg:apk/chainguard/py3-nltkpkg:apk/chainguard/py3-supported-nltkpkg:apk/wolfi/py3.10-nltkpkg:apk/wolfi/py3.10-nltk-binpkg:apk/wolfi/py3.11-nltkpkg:apk/wolfi/py3.11-nltk-binpkg:apk/wolfi/py3.12-nltkpkg:apk/wolfi/py3.12-nltk-binpkg:apk/wolfi/py3.13-nltkpkg:apk/wolfi/py3.13-nltk-binpkg:apk/wolfi/py3-nltkpkg:apk/wolfi/py3-supported-nltkpkg:pypi/nltkpkg:rpm/opensuse/python-nltk&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-nltk&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-nltk&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-nltk&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/python-nltk&distro=SUSE%20Package%20Hub%2015%20SP6
< 2.58.1-r0+ 27 more
- (no CPE)range: < 2.58.1-r0
- (no CPE)range: < 1.23.0-r12
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.8.2-r0
- (no CPE)range: < 3.9
- (no CPE)range: < 3.7-bp155.3.3.1
- (no CPE)range: < 3.7-bp156.4.3.1
- (no CPE)range: < 3.8.1-2.1
- (no CPE)range: < 3.7-bp155.3.3.1
- (no CPE)range: < 3.7-bp156.4.3.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-cgvx-9447-vcchghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-39705ghsaADVISORY
- github.com/nltk/nltk/commit/441aecb7d33014bd08672232c6c8bb69c2ceaba2ghsaWEB
- github.com/nltk/nltk/issues/2522nvdWEB
- github.com/nltk/nltk/issues/3266nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2024-167.yamlghsaWEB
- www.vicarius.io/vsociety/posts/rce-in-python-nltk-cve-2024-39705-39706nvdWEB
News mentions
0No linked articles in our index yet.