CVE-2021-43854
CVE-2021-43854 is a high-severity vulnerability in Nltk with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-400.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 3% (84th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-400
- Affected product: Nltk
- Published:
- Last modified:
Description
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.
Frequently asked questions
- What is CVE-2021-43854?
- NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.
- How severe is CVE-2021-43854?
- CVE-2021-43854 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2021-43854 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (84th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-43854?
- CVE-2021-43854 affects Nltk. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-43854?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-43854 published?
- CVE-2021-43854 was published on 2021-12-23 and last updated on 2026-06-17.
References
- https://github.com/nltk/nltk/commit/1405aad979c6b8080dbbc8e0858f89b2e3690341
- https://github.com/nltk/nltk/issues/2866
- https://github.com/nltk/nltk/pull/2869
- https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x
Affected products (1)
- cpe:2.3:a:nltk:nltk:*:*:*:*:*:*:*:*
More vulnerabilities in Nltk
- CVE-2026-0848 — Critical (CVSS 10.0): NLTK versions <=3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the…
- CVE-2025-14009 — High (CVSS 8.8): A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter…
- CVE-2026-33236 — High (CVSS 8.1): NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research…
- CVE-2026-12252 — High (CVSS 7.8): In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes (StanfordPOSTagger, StanfordNERTagger,…
- CVE-2026-12243 — High (CVSS 7.5): NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The…
- CVE-2026-54293 — High (CVSS 7.5): NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research…
Other CWE-400 (Uncontrolled Resource Consumption) vulnerabilities
- CVE-2026-46775 — Critical (CVSS 9.9): Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0.…
- CVE-2025-61303 — Critical (CVSS 9.8): Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a…
- CVE-2025-43193 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7,…
- CVE-2025-24269 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4. An app may be able to…
- CVE-2025-24264 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4,…
- CVE-2025-24260 — Critical (CVSS 9.8): The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5,…
Browse all CWE-400 (Uncontrolled Resource Consumption) vulnerabilities →