nltk - Debian Package Tracker

general

source: nltk (main)
version: 3.9.2-1
maintainer: Debian Science Maintainers (archive) (DMD)
uploaders: Mo Zhou [DMD]
arch: all
std-ver: 4.6.0.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.5-1
oldstable: 3.8-1
stable: 3.9.1-2
testing: 3.9.2-1
unstable: 3.9.2-1

versioned links

3.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.9.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.9.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

python3-nltk (2 bugs: 0, 1, 1, 0)

action needed

A new upstream version is available: 3.9.3 high

A new upstream version 3.9.3 is available, you should consider packaging it.

Created: 2026-02-27 Last update: 2026-02-28 00:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-14009: A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

Created: 2026-02-19 Last update: 2026-02-21 00:00

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-14009: A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

Created: 2026-02-19 Last update: 2026-02-21 00:00

5 security issues in buster high

There are 5 open security issues in buster.

1 important issue:

CVE-2024-39705: NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.

4 issues postponed or untriaged:

CVE-2021-3828: (needs triaging) nltk is vulnerable to Inefficient Regular Expression Complexity
CVE-2021-3842: (needs triaging) nltk is vulnerable to Inefficient Regular Expression Complexity
CVE-2019-14751: (needs triaging) NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in an NLTK package (ZIP archive) that is mishandled during extraction.
CVE-2021-43854: (needs triaging) NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.

Created: 2024-06-28 Last update: 2024-06-28 15:00

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2023-06-18 Last update: 2023-06-18 17:34

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2025-14009: (needs triaging) A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-02-19 Last update: 2026-02-21 00:00

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2024-39705: (postponed; to be fixed through a stable update) NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_perceptron_tagger and punkt.
CVE-2025-14009: (needs triaging) A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as __init__.py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potential persistence mechanisms.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-06-28 Last update: 2026-02-21 00:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.0.1).

Created: 2022-05-11 Last update: 2026-02-16 10:56

news

[rss feed]

[2026-02-20] nltk 3.9.2-1 MIGRATED to testing (Debian testing watch)
[2026-02-14] Accepted nltk 3.9.2-1 (source) into unstable (Mo Zhou)
[2024-10-18] nltk 3.9.1-2 MIGRATED to testing (Debian testing watch)
[2024-10-12] Accepted nltk 3.9.1-2 (source) into unstable (Santiago Vila)
[2024-10-07] nltk 3.9.1-1 MIGRATED to testing (Debian testing watch)
[2024-10-02] Accepted nltk 3.9.1-1 (source) into unstable (Mo Zhou)
[2023-06-23] nltk 3.8.1-1 MIGRATED to testing (Debian testing watch)
[2023-06-18] Accepted nltk 3.8.1-1 (source) into unstable (Mo Zhou)
[2022-12-20] nltk 3.8-1 MIGRATED to testing (Debian testing watch)
[2022-12-14] Accepted nltk 3.8-1 (source) into unstable (Mo Zhou)
[2022-02-22] nltk 3.7-1 MIGRATED to testing (Debian testing watch)
[2022-02-16] Accepted nltk 3.7-1 (source) into unstable (Mo Zhou)
[2022-01-12] nltk 3.6.7-1 MIGRATED to testing (Debian testing watch)
[2022-01-06] Accepted nltk 3.6.7-1 (source) into unstable (Mo Zhou)
[2021-11-19] nltk 3.6.5-1 MIGRATED to testing (Debian testing watch)
[2021-11-13] Accepted nltk 3.6.5-1 (source) into unstable (Mo Zhou)
[2020-04-28] nltk 3.5-1 MIGRATED to testing (Debian testing watch)
[2020-04-23] Accepted nltk 3.5-1 (source) into unstable (Mo Zhou)
[2019-12-27] nltk 3.4.5-2 MIGRATED to testing (Debian testing watch)
[2019-12-22] Accepted nltk 3.4.5-2 (source) into unstable (Mo Zhou) (signed by: Zhou Mo)
[2019-08-30] nltk 3.4.5-1 MIGRATED to testing (Debian testing watch)
[2019-08-24] Accepted nltk 3.4.5-1 (source) into unstable (Mo Zhou) (signed by: Zhou Mo)
[2019-07-27] nltk 3.4.3-1 MIGRATED to testing (Debian testing watch)
[2019-07-22] Accepted nltk 3.4.3-1 (source) into unstable (Mo Zhou) (signed by: Zhou Mo)
[2019-05-01] Accepted nltk 3.4.1-1 (source) into experimental (Mo Zhou) (signed by: Zhou Mo)
[2018-11-28] nltk 3.4-1 MIGRATED to testing (Debian testing watch)
[2018-11-23] Accepted nltk 3.4-1 (source) into unstable (Mo Zhou) (signed by: Zhou Mo)
[2018-06-02] nltk 3.3.0-1 MIGRATED to testing (Debian testing watch)
[2018-05-27] Accepted nltk 3.3.0-1 (source) into unstable (Mo Zhou) (signed by: Adam Borowski)
[2018-04-08] nltk 3.2.5-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 3
RC: 0
I&N: 2
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.9.2-1