SB2021122321 - Multiple vulnerabilities in Natural Language Toolkit (nltk)
Published: December 23, 2021 Updated: March 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Inefficient regular expression complexity (CVE-ID: CVE-2021-43854)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
2) Inefficient regular expression complexity (CVE-ID: CVE-2021-3842)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/nltk/nltk/pull/2869
- https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341
- https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x
- https://github.com/nltk/nltk/issues/2866
- https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a
- https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d