NLTK has unauthenticated remote shutdown in nltk.app.wordnet_app
Description
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, nltk.app.wordnet_app allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when it is started in its default mode. A simple GET /SHUTDOWN%20THE%20SERVER request causes the process to terminate immediately via os._exit(0), resulting in a denial of service. Commit bbaae83db86a0f49e00f5b0db44a7254c268de9b patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nltkPyPI | < 3.9.4 | 3.9.4 |
Affected products
1Patches
11 file changed · +3 −2
nltk/app/wordnet_app.py+3 −2 modified@@ -238,8 +238,9 @@ def wnb(port=8000, runBrowser=True, logfilename=None): server_ready = threading.Event() browser_thread = startBrowser(url, server_ready) - # Start the server. - server = HTTPServer(("", port), MyServerHandler) + # Start the server. Bind to localhost only to prevent remote access + # and unauthenticated shutdown via /SHUTDOWN%20THE%20SERVER. + server = HTTPServer(("127.0.0.1", port), MyServerHandler) if logfile: logfile.write("NLTK Wordnet browser server running serving: %s\n" % url) if runBrowser:
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-jm6w-m3j8-898gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33231ghsaADVISORY
- github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9bghsax_refsource_MISCWEB
- github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.