CVE-2021-3828: NLTK Vulnerable to REDoS
(updated )
The nltk package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide as an input to the [_read_comparison_block()(https://github.com/nltk/nltk/blob/23f4b1c4b4006b0cb3ec278e801029557cec4e82/nltk/corpus/reader/comparative_sents.py#L259) function in the file nltk/corpus/reader/comparative_sents.py may cause an application to consume an excessive amount of CPU.
References
- github.com/advisories/GHSA-2ww3-fxvq-293j
- github.com/nltk/nltk
- github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6
- github.com/nltk/nltk/pull/2816
- github.com/pypa/advisory-database/tree/main/vulns/nltk/PYSEC-2021-356.yaml
- huntr.dev/bounties/d19aed43-75bc-4a03-91a0-4d0bb516bc32
- nvd.nist.gov/vuln/detail/CVE-2021-3828
Code Behaviors & Features
Detect and mitigate CVE-2021-3828 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →