PyPI: nltk
CVE-2026-33231
Safety vulnerability ID: SFTY-20260319-86830
Safety legacy ID: pyup.io-89826
Affected versions of the nltk package are vulnerable to Denial of Service (DoS) due to missing authentication on a shutdown function in the WordNet Browser HTTP server. In nltk.app.wordnet_app, HTTPServer(("", port), MyServerHandler) listens on all interfaces by default, and the request handler checks whether the decoded path equals SHUTDOWN THE SERVER; when server_mode=False in the default runBrowser=True mode, that path triggers os._exit(0) and immediately terminates the process.
Overview
Unauthenticated remote shutdown in nltk.app.wordnet_app
Advisory
Affected versions of the nltk package are vulnerable to Denial of Service (DoS) due to missing authentication on a shutdown function in the WordNet Browser HTTP server. In nltk.app.wordnet_app, HTTPServer(("", port), MyServerHandler) listens on all interfaces by default, and the request handler checks whether the decoded path equals SHUTDOWN THE SERVER; when server_mode=False in the default runBrowser=True mode, that path triggers os._exit(0) and immediately terminates the process.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260319-86830/CVE-2026-33231
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33231
- https://data.safetycli.com/changelogs/nltk/
- https://github.com/advisories/GHSA-jm6w-m3j8-898g
- https://pypi.org/project/nltk
- https://github.com/nltk/nltk/security/advisories/GHSA-jm6w-m3j8-898g
- https://nvd.nist.gov/vuln/detail/CVE-2026-33231
- https://github.com/nltk/nltk/commit/bbaae83db86a0f49e00f5b0db44a7254c268de9b
- https://github.com/advisories/GHSA-jm6w-m3j8-898g
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more