NLTK is subject to a critical Remote Code Execution vulnerability where the loading of unverified Java JAR files allows for arbitrary bytecode execution at the time of module import.

The StanfordSegmenter module in NLTK fails to verify or sandbox external Java .jar files before execution via subprocess. An attacker can exploit this through dependency poisoning or MITM attacks to supply a malicious JAR file, leading to unauthenticated arbitrary code execution when the JVM loads the unvalidated classpath.

With a CVSS score of 10.0, this is a maximum-severity vulnerability that allows for complete system takeover. An attacker can execute arbitrary code with the privileges of the application running NLTK, potentially leading to data theft, lateral movement, and persistent backdoors. This is particularly dangerous for automated pipelines and AI/ML research environments that dynamically load models or dependencies.

Immediate Action: Update the NLTK library to the latest version (above 3.9.2) where the StanfordSegmenter module has been patched or the execution logic secured.

Proactive Monitoring: Monitor for unusual subprocess calls involving java -jar and inspect the integrity of local JAR files used by the NLTK library.

Compensating Controls: Implement network-level controls to prevent MITM attacks and use dependency pinning with hash verification (e.g., in requirements.txt) to prevent dependency poisoning.

Public Exploit Available: false

Immediate patching of NLTK is mandatory for all development and production environments. Because the code executes at "import time," simply having the vulnerable library in a script that is executed can lead to compromise. Developers should audit their supply chains to ensure no malicious JAR files have been introduced.